Intermediate certificate rejected as unknown

RESOLVED INVALID

Status

()

Core
Security: PSM
RESOLVED INVALID
8 years ago
8 years ago

People

(Reporter: Ilya Sherman, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

8 years ago
When I visit https://shop.rcn.com in Firefox*, the certificate is rejected because the issuer is unknown.  When I visit the same website in Chrome, the certificate is accepted.  Chrome recognizes that the intermediate issuer -- "VeriSign Class 3 Secure Server CA" -- is itself signed by the VeriSign root certificate "Class 3 Public Primary Certification Authority".

I'm not sure whether this is because Chrome simply has the intermediate certificate pre-installed, or because Chrome is able to figure things out on the fly.  Whichever it is, we should probably support this certificate as well; in the end, it is legitimately signed by VeriSign.

*Sometimes this redirects back to http -- not sure what determines whether it redirects...
The server must always deliver the intermediate certificate. 
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR657

I don't know what chrome is doing but maybe you visited a site that delivered the intermediate cert correctly before you used that server ?
I think chrome is using the windows certificate database and that could mean that you had the intermediate certificate from IE.

Gecko stores such certs in the db, visiting a working site with the same certificate once and you will never get the error on other broken servers.

This is not the first bug about the same issue, just search for intermediate in Core:PSM

marking invalid, broken server setup
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.