A website wants to switch an SSL certificate from Network Solutions to Gandi. Everything seemed to be installed correctly except that there is an error being thrown in Firefox only. On Chrome and IE, there are no errors being thrown. It appears that there is something wrong with the certification path. I've tried a few things and Googled around but the problem won't go away. Any tips would be appreciated. Thank you in advance!
Steps attempted:
- Gandi Intermediate Certificate acquired from Gandi per instructions at http://wiki.gandi.net/en/ssl/intermediate (SHA2 Standard certificate)
- Added the Gandi Intermediate Certificate to the server (MMC > Certificates > Intermediate Certification Authorities > Certificates)
- USERTRust RSA Certification Authority Certificate acquired from SSL-Tools at https://ssl-tools.net/certificates/1y0ovx5-usertrust-rsa-certification-authority
- Added the USERTrust RSA Certification Authority Certificate to the server (MMC > Certificates > Trusted Root Certification Authorities > Certificates)
- Restarting IIS after every installation.
- Clearing local browser cache after every installation.
Firefox Error:
Technical Details
www.somedomain.org uses an invalid security certificate.
The certificate is not trusted because the issuer certificate is unknown.
(Error code: sec_error_unknown_issuer)
Firefox 34 Certificate Heirarchy:
Gandi Standard SSL CA 2 > somedomain.org
Chrome 40 and Internet Explorer 11 Certification Path:
USERTRust > USERTrust RSA Certification Authority > Gandi Standard SSL CA 2 > somedomain.org
SSL Labs test results (https://www.ssllabs.com/ssltest/analyze.html):
Additional Certificates (if supplied)
Certificates provided 2 (2851 bytes)
Chain issues Incomplete
#2
Subject Gandi Standard SSL CA 2
Fingerprint: 247106a405b288a46e70a0262717162d0903e734
Valid until Wed Sep 11 16:59:59 PDT 2024 (expires in 9 years and 8 months)
Key RSA 2048 bits (e 65537)
Issuer USERTrust RSA Certification Authority
Signature algorithm SHA384withRSA
Certification Paths
1 Sent by server somedomain.org
Fingerprint: 0123456789012345678901234567890123456789
RSA 2048 bits (e 65537) / SHA256withRSA
2 Sent by server Gandi Standard SSL CA 2
Fingerprint: 247106a405b288a46e70a0262717162d0903e734
RSA 2048 bits (e 65537) / SHA384withRSA
3 Extra download USERTrust RSA Certification Authority
Fingerprint: eab040689a0d805b5d6fd654fc168cff00b78be3
RSA 4096 bits (e 65537) / SHA384withRSA
4 In trust store AddTrust External CA Root Self-signed
Fingerprint: 02faf3e291435468607857694df5e45b68851868
RSA 2048 bits (e 65537) / SHA1withRSA
Weak or insecure signature, but no impact on root certificate
SSL-Tools test results (https://ssl-tools.net/webservers/):
Certificate chain
somedomain.org
1054 days remaining 2048 bit sha256WithRSAEncryption
- Gandi Standard SSL CA 2
- 3537 days remaining 2048 bit sha384WithRSAEncryption
- Root certificate unknown
-- USERTrust RSA Certification Authority
Server:
- Windows Server 2008 R2
- IIS 7.5
Best Answer
'USERTrust RSA Certification Authority' is not recognized as a root CA on all platforms. So, the best option is use it as an intermediate CA, having a certificate signed by 'AddTrust External CA Root'.
You can retrieve this certificate at http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
Proper installation (most accepted) of your certificate is:
Windows Server 2008 R2 manages automatically trusted certificates, so your server could get the next configuration:
When server sends the certificate it chooses the shortest path to root:
And that is an incomplete chain for most platforms.
If this is your problem, the best solution is locate the 'USERTrust RSACertification Authority' on Root store and edit its Properties to 'Disable all purposes for this certificate'.
After you restart the server, Windows will always generate the desired chain: