Why isn't DigiCertSecureServerCA.crt included with a fresh install of Firefox. I had a brand new windows 7 machine, installed the lastest version of firefox
Why isn't DigiCertSecureServerCA.crt included with a fresh install of Firefox. I had a brand new windows 7 machine, installed the lastest version of firefox and still had issues getting to websites that have digicert certificates.
All Replies (2)
hello kenaross, DigiCert Secure Server CA is a so-called intermediary certificate which isn't supposed to be placed in the browsers trust store - these are issued by a root certificate authority which is trusted in a browser.
what should happen normally is that the site you're accessing provides a path from it's own certificate to the intermediate and then to the root certificate authority. if this this is done once correctly for an intermediate CA, such as DigiCert Secure Server CA, firefox will remember this particular intermediate certificate for future use.
if you're getting the SEC_ERROR_UNKNOWN_ISSUER error code on a fresh install when trying to access a certain site, it's likely that they have not implemented the necessary chain of certificates properly. you could test that yourself at https://www.ssllabs.com/ssltest/ & should probably report it to the webmasters of the site in question.
The world is full of certificates that are not built-in/pre-trusted by Firefox...
Like many others, Firefox handles that particular certificate as an intermediate certificate, and expects web servers that use certificates signed by that certificate to send it to the browser as part of the chain of trust up to the root.
If the site does that, and it checks out, Firefox will remember it. (See attached screen shot as an example.)
This is a useful diagnostic tool to check whether a site is sending the intermediate certificates: http://www.networking4all.com/en/support/tools/site+check/