Closed Bug 575773 Opened 14 years ago Closed 14 years ago

Intermediate certificate rejected as unknown

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: ishermandom+bugs, Unassigned)

References

(
URL
)

Details

When I visit https://shop.rcn.com in Firefox*, the certificate is rejected because the issuer is unknown.  When I visit the same website in Chrome, the certificate is accepted.  Chrome recognizes that the intermediate issuer -- "VeriSign Class 3 Secure Server CA" -- is itself signed by the VeriSign root certificate "Class 3 Public Primary Certification Authority".

I'm not sure whether this is because Chrome simply has the intermediate certificate pre-installed, or because Chrome is able to figure things out on the fly.  Whichever it is, we should probably support this certificate as well; in the end, it is legitimately signed by VeriSign.

*Sometimes this redirects back to http -- not sure what determines whether it redirects...
The server must always deliver the intermediate certificate. 
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR657

I don't know what chrome is doing but maybe you visited a site that delivered the intermediate cert correctly before you used that server ?
I think chrome is using the windows certificate database and that could mean that you had the intermediate certificate from IE.

Gecko stores such certs in the db, visiting a working site with the same certificate once and you will never get the error on other broken servers.

This is not the first bug about the same issue, just search for intermediate in Core:PSM

marking invalid, broken server setup
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.