PositiveSSL in Firefox sec_error_unknown_issuer fix

Email this to someoneTweet about this on TwitterShare on FacebookShare on Google+Print this page

PositiveSSL is signed by an intermediate certificate authorities whose certificate, however, is NOT stored in Firefox. If no issuer chain is provided, it will be considered as untrusted connection.

Update
Recently PositiveSSL has changed its issuer chain for newer cert transitioning to the stronger SHA-2 hashing algorithm and the example may be outdated.

Here is an example of an issuer chain.

To solve this problem, the intermediate certificate should be presented.

On SERVER side, when receiving yoursite.crt, a file named PositiveSSLCA2.crt ( or COMODORSADomainValidationSecureServerCA.crt & COMODORSAAddTrustCA.crt ) is also provided. Append its content to yoursite.crt and make a new .crt file.

Be careful that the order should not be reversed or it will fail with the private.key. Moreover, the option Chained Certificate should be set to yes if using LiteSpeed Web Server.

On CLIENT side, the intermediate certificate PositiveSSLCA2.crt ( or COMODORSADomainValidationSecureServerCA.crt & COMODORSAAddTrustCA.crt ) can be imported to firefox CA Certificate List, which is however NOT always recommended because the .crt file should be guaranteed original.

 

Jul 2, 2013 @ 00:00
Email this to someoneTweet about this on TwitterShare on FacebookShare on Google+Print this page

Leave a Reply

Your email address will not be published. Required fields are marked *

Please calculate * Time limit is exhausted. Please reload CAPTCHA.