"Symantec Class 3 EV SSL CA - G2" intermediate Certificate Authority is not trusted by Firefox ?

''locking as duplicate of [https://support.mozilla.org/en-US/questions/1014430 /questions/1014430]''
Hallo
We recently purchased a certificate from Symantec. It's intermediate authority is Symantec Class 3 EV SSL CA - G2, but Mozilla firefox doesn't seem to trust it. Other browsers (IE and Chrome) have the certificate chain trusted. Is there a way to add this certificate chain in Firefox, because many of our clients using Firefox are complaining and asking about our site's security.

hello JKlecherov, firefox shouldn't give any error, when the intermediary certificate is properly linked to the root ca. please refer to symantec's documentation how to install it on your server or you can also use their tool at https://ssltools.websecurity.symantec.com/checker/views/certCheck.jsp

Similar Messages

  • Why do other browsers ( IE, Chrome, Opera,Safari) list StartCom Class 2 Primary Intermediate Server CA as a Trusted Intermediate Certification Authority but Firefox doesn't?

    We are setting up registrations for a paid event and have bought a SSL certificate for our site. Everything works fine when the registration page is accessed through IE, Chrome, Opera or Safari (which list StartCom Class 2 Primary Intermediate Server CA as a Trusted Intermediate Certification Authority), but when I click on that link in Firefix I get the "This Connection is Untrusted" page because only StartCom Class 1 is listed as trusted.
    Why is that?

    It is always the responsibility of a website to send the complete certificate chain.
    You can check the certificate chain of breastfeedingconference.asn.au and see that the server doesn't send the intermediate certificate.
    * http://www.networking4all.com/en/support/tools/site+check/

  • SSL Cert requiring intermediate CA chain breaks 10.5.8 caldavd?

    Mac OS X Server 10.5.8
    I just upgraded from a self-signed cert to a cert from StartCom, which requires use of an intermediate certificate on the server. I imported it using Server Admin. It and the intermediate cert are present in the /Library/Keychains/System.keychain and in /etc/certificates. Mail (Both postfix and cyrus) are happy with it. Apache is happy with it.
    caldavd, however, reports the following:
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [startup] Adding server at :8008+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [startup] Adding SSL server at :8443+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] Traceback (most recent call last):+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] File "/usr/share/caldavd/bin/twistd", line 21, in <module>+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] run()+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] File "/usr/share/caldavd/lib/python/twisted/scripts/twistd.py", line 27, in run+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] app.run(runApp, ServerOptions)+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] File "/usr/share/caldavd/lib/python/twisted/application/app.py", line 379, in run+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] runApp(config)+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] File "/usr/share/caldavd/lib/python/twisted/scripts/twistd.py", line 23, in runApp+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] _SomeApplicationRunner(config).run()+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] File "/usr/share/caldavd/lib/python/twisted/application/app.py", line 157, in run+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] self.application = self.createOrGetApplication()+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] File "/usr/share/caldavd/lib/python/twisted/application/app.py", line 202, in createOrGetApplication+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] ser = plg.makeService(self.config.subOptions)+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] File "/usr/share/caldavd/lib/python/twistedcaldav/tap.py", line 754, in makeService+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] service = serviceMethod(options)+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] File "/usr/share/caldavd/lib/python/twistedcaldav/tap.py", line 727, in makeService_Slave+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] passwdCallback=_getSSLPassphrase+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] File "/usr/share/caldavd/lib/python/twistedcaldav/tap.py", line 423, in _init_+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] sslmethod=sslmethod+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] File "/usr/share/caldavd/lib/python/twisted/internet/ssl.py", line 79, in _init_+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] self.cacheContext()+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] File "/usr/share/caldavd/lib/python/twistedcaldav/tap.py", line 437, in cacheContext+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] ctx.usecertificate_chainfile(self.certificateChainFile)+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] OpenSSL.SSL.Error: [('x509 certificate routines', 'X509check_privatekey', 'key values mismatch')]+
    But the key and the certificate do match, as confirmed by the other apps working fine and openssl x509/rsa -modulus.
    /etc/caldavd/caldavd.plist contains:
    <key>SSLAuthorityChain</key>
    <string>/etc/certificates/osxserver.example.com.chcrt</string>
    <key>SSLCertificate</key>
    <string>/etc/certificates/osxserver.example.com.crt</string>
    <key>SSLPort</key>
    <integer>8443</integer>
    <key>SSLPrivateKey</key>
    <string>/etc/certificates/osxserver.example.com.key</string>
    <key>ServerHostName</key>
    <string>osxserver.example.com</string>
    Using openssl I verified that those three files are, in fact, correct.
    If I remove the filename from the SSLAuthorityChain attribute, the server starts normally but, naturally, connections fail unless I add the intermediate certificate to the local client's keychain.
    Not sure where to go next. I haven't been able to check Server 10.6.1 yet.

    The point that it's breaking on is obviously an Apple modification because Twisted does not and has never supported loading intermediate CA certs from a chain file.
    http://twistedmatrix.com/trac/log/trunk/twisted/internet/ssl.py?rev=26525
    I would suggest creating a little test script that does what the caldavd file does. The related documentation is http://packages.python.org/pyOpenSSL/openssl-context.html

  • Symantec Class 3 Secure Server CA - G4

    Even though I include this in the configuration profile, it still shows as not verified and the user always has to click Accept. I need to avoid that step using the configuration profiles for iPads.  The cert 'Symantec Class 3 Secure Server CA - G4' is not currently listed in the IOS list of trusted certs but that shouldn't matter because I'm installing it manually via configuration profile. So what else am I missing? The cert is installed but they still have to click accept when connecting to the SSID.
    iOS 8: List of available trusted root certificates - Apple Support

    Certificate:
      Data:
      Version: 3 (0x2)
      Serial Number:
      1f:35:ef:32:7c:44:07:34:8d:bd:9a:9e:e7:e2:1f:e7
      Signature Algorithm: sha256WithRSAEncryption
      Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4
      Validity
      Not Before: Jul 1 00:00:00 2014 GMT
      Not After : Jul 2 23:59:59 2015 GMT
      Subject: <redacted>
      Subject Public Key Info:
      Public Key Algorithm: rsaEncryption
      Public-Key: (2048 bit)
      Exponent: 65537 (0x10001)
      X509v3 extensions:
      X509v3 Subject Alternative Name:
      DNS:<redacted>
      X509v3 Basic Constraints:
      CA:FALSE
      X509v3 Key Usage: critical
      Digital Signature, Key Encipherment
      X509v3 Extended Key Usage:
      TLS Web Server Authentication, TLS Web Client Authentication
      X509v3 Certificate Policies:
      Policy: 2.16.840.1.113733.1.7.54
      CPS: https://d.symcb.com/cps
      User Notice:
      Explicit Text: https://d.symcb.com/rpa
      X509v3 Authority Key Identifier:
      keyid:5F:60:CF:61:90:55:DF:84:43:14:8A:60:2A:B2:F5:7A:F4:43:18:EF
      X509v3 CRL Distribution Points:
      Full Name:
      URI:http://ss.symcb.com/ss.crl
      Authority Information Access:
      OCSP - URI:http://ss.symcd.com
      CA Issuers - URI:http://ss.symcb.com/ss.crt
      Signature Algorithm: sha256WithRSAEncryption

  • Why are intermediate certificates needed within STRUST with SAP as SSL client?

    Scenario: My company is hosting various applications on a web server. Our customers connect their SAP systems to our applications using web services.  We changed one of our VeriSign web server SSL certificates a few weeks ago. This new SSL certificate was signed by a VeriSign intermediate CA which itself is signed by a new VeriSign root CA.
    In the past, we only took care that our customers have the corresponding VeriSign root certificate imported into their SAP via STRUST; in our case this is the following root certificate: http://www.verisign.com/repository/roots/root-certificates/PCA-3G5.pem
    Now as we changed the certificate on our web server, our customers can't connect to it with their SAP systems any more. We found out that it works again, if the customers additionally import the VeriSign intermediate certificates into their SAP via STRUST; in our case the following ones: https://www.verisign.com/support/verisign-intermediate-ca/secure-site-intermediate/index.html
    This is something we don't understand for two reasons:
    1.) Usually it shouldn't be necessary to have intermediate certificates on client side, only on the web server. We saved the two VeriSign intermediate certificates into one file and linked it within our Apache via the "SSLCertificateChainFile" directive. This is what we expected to be enough for all SSL clients which have the corresponding root certificate within their certificate stores.
    2.) Our old certificate was signed by an (other) intermediate certificate, too and we didn't have  this one on client side at our customers… it worked. Why? The only difference seems to be, that the old chain had only one intermediate certificate and the new one has two.
    Anyone has an answer to these questions or an idea how to avoid uploading the intermediate certificates all the time? 

    Hi !
    have a look at this thread may be helpful for you .
    Cannot import certificate response in STRUST
    Regds
    Abhishek

  • Godaddy SSL certificate installation problems - intermediate certificate not being recognized

    domain = mail.gottfried.org
    Installed both the certificate and the intermediate certificate from godaddy (used the 10.6 mac os x version)
    Response from:
    http://www.sslshopper.com/ssl-checker.html#hostname=mail.gottfried.org
    The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. You can fix this by following GoDaddy's Certificate Installation Instructions for your server platform. Pay attention to the parts about Intermediate certificates.
    When I check in 0000_any_443_.conf
    I see:
    SSLCertificateFile "/etc/certificates/mail.gottfried.org.1E5F3C903B64E78E3241929B16F616D1DDD130FE. cert.pem
    SSLCertificateKeyFile "/etc/certificates/mail.gottfried.org.1E5F3C903B64E78E3241929B16F616D1DDD130FE. key.pem
    SSLCertificateChainFile "/etc/certificates/mail.gottfried.org.1E5F3C903B64E78E3241929B16F616D1DDD130FE. chain.pem
    I am assuming that the intermediate certificate should be:
    mail.gottfried.org.1E5F3C903B64E78E3241929B16F616D1DDD130FE.chain.pem
    When I look at that certicate it is the same as
    mail.gottfried.org.1E5F3C903B64E78E3241929B16F616D1DDD130FE.cert.pem
    When I check keychain and exported both the mail.gottfried.org certificate and also the starfield secure certification authority they match what was installed initially (what I downloaded from Godaddy).
    It looks like in the install process the intermediate certificate is not being linked to the ssl certificate and that the ssl certificate is being used for the chain.
    Anyone have any suggestions?
    I have talked to both Godaddy and Apple Enterprise support. Godaddy has nothing past 10.6 instruction wise (though the support person really tried to help). The Apple rep couldnt really help and if I really want help from them I need to talk to integration where costs start at $700....
    Anyone have an SSL provider that worked properly with 10.8  or has really good support for mountain lion server?
    Please let me know.
    Thanks!

    While you still can, get a refund for the certificate, and get a certificate from somebody else, and preferably one that doesn't need an intermediate?  That'll be the easiest.
    If you're not doing ecommerce or otherwise dealing with web browsers and remote clients that you don't have some control over or affiliation with, you can use a private certificate and get equivalent (or arguably better) security.  Running your own certificate authority does mean you'll learn more about certificates, though.
    Here and here are general descriptions of getting certificates and intermediate certificates loaded, and some troubleshooting here and particularly here (TN2232).  I have found exiting Keychain Access to be a necessary step on various versions.  It shouldn't be, but...
    FWIW and depending on your particular DNS setup and whether you're serving multiple web sites, you'll need a multiple-domain certificate.
    Full disclosure: I've chased a few of these cases around for customers, and it can take an hour or three to sort out what the particular vendor of math, err, certificates has implemented, to confirm the particular certificate formats and possibly convert the certificates where necessary, and to generally to sort out the various posted directions and confusions.  (I'm not particularly fond of any of the major math, err, certificate vendors, either.)

  • 31.3.0 hangs when connecting to my IMAPS server (problem with intermediate certificates or SSL in general?).

    After update to 31.3.0 Thunderbird hangs when connecting to IMAPS server aie.de (intermediate certificates in chain). No error message is given, Thunderbird just hangs with out updating the subject lines of the inbox.

    It is a configuration problem of the courier imap ssl daemon, resolution is shown [http://xf.wiki.mithi.com/index.php/Error_observed_in_/var/log/messages_log,_imapd:_couriertls:_accept:_error:1408F10B:SSL_routines:SSL3_GET_RECORD:wrong_version_number#Resolution here]

  • Firefox 3.6.13 do not have intermediate certification authority terena ssl ca (expiration 30.5.2020, is this problem specific to this version?

    I was helping a friend to check the status of the certificate of a website. The certificate was not approved (firefox shows de warning page) in my firefox but it was in his.
    I assumed it was because I had uninstalled firefox 3.6.13 and reinstalled it about a week ago. So he uninstalled his firefox software and reinstalled it. After that the site could not be viewed without the varning in firefox 3.6.13 at his computer either.

    Why does Firefox 4.0.1 still not have the Terena SSL certificate built-in? Safari and IE 8 and 9 have access to it. This is a real nuisance. Is there a specific reason for it?
    (I don't need to know the workaround as I already know it. My point is, there shouldn't be a need for a workaround.)
    [http://crt.tcs.terena.org/TERENASSLCA.crt Download Terena SSL Cert here]
    Also, if we must deploy it into Firefox manually, how can this be automated for 7,500 Windows XP PCs and 4,000 Macs? Is there a scripting language for Firefox or can we stick it in a specific directory and Firefox will automatically absorb it?
    I think it would be easier if Firefox just incorporates it. It doesn't make sense for the other major browsers to support it and Firefox doesn't.

  • Safari and Intermediate Certificates

    HI
    Per apple's safari post:
    http://discussions.apple.com/thread.jspa?messageID=6321649
    Safari has problems with certificate. Out of curiousity, can I import the intermdiate certificate's pem into the ace and then run a chaingroup? It didn't work for me but was wondering if It really didn't work or was I missing some other configs:
    crypto chaingroup INTERMEDIATE-CERT
    cert VerisignIntermediate.pem
    ssl-proxy service sslproxy
    chaingroup INTERMEDIATE-CERT

    Also seeing this - Safari 5 / OS X 10.5.8 does not recognise Verisign Class 3 EV SSL CA (see screen grab). This is related to these software releases - the same site on Safari 5.1.6 / OS X 10.7.4 handles the same certificates just fine. Why is this CA not trusted in the first setup? - the Mac is fully patched via software update.

  • SSL Server: No available certificate or key.... exception

    Hi,
    I want to create a very simple SSL Server for testing purposes.
    I have searched google and these forums for an answer, but anything that I found did not help (will say below what I tried).
    Here is my code:
    import java.io.IOException;
    import javax.net.ssl.SSLServerSocket;
    import javax.net.ssl.SSLServerSocketFactory;
    public class Server {
         private int port = 25000;
         private SSLServerSocketFactory factory = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
         public Server() {          
              try {
                   SSLServerSocket socket = (SSLServerSocket) factory.createServerSocket(port);
                   Echo echo = new Echo(socket);
                   Thread t = new Thread(echo);
                   t.start();
              } catch (IOException e) {
                   e.printStackTrace();
         public static void main(String[] args) {
              new Server();
    }and
    import java.io.BufferedReader;
    import java.io.BufferedWriter;
    import java.io.IOException;
    import java.io.InputStream;
    import java.io.InputStreamReader;
    import java.io.OutputStream;
    import java.io.OutputStreamWriter;
    import javax.net.ssl.SSLServerSocket;
    import javax.net.ssl.SSLSocket;
    public class Echo implements Runnable {
         SSLServerSocket socket;
         public Echo(SSLServerSocket socket) {
              this.socket = socket;
         @Override
         public void run() {
              try {
                   SSLSocket connectedSocket = (SSLSocket) socket.accept();
                   // creating the streams
                   InputStream inputstream = connectedSocket.getInputStream();
                InputStreamReader inputstreamreader = new InputStreamReader(inputstream);
                BufferedReader in = new BufferedReader(inputstreamreader);
                OutputStream outputstream = connectedSocket.getOutputStream();
                OutputStreamWriter outputstreamwriter = new OutputStreamWriter(outputstream);
                BufferedWriter out = new BufferedWriter(outputstreamwriter);
                // echoing...
                String input = "";
                while (input.compareTo("abort") != 0) {
                     input = in.readLine();
                     System.out.println("Server received message: " + input);
                     out.write(input + " " + input);
                     out.flush();
              } catch (IOException e) {
                   e.printStackTrace();
    }When I run the code, I get
    javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
         at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(Unknown Source)
         at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(Unknown Source)
         at Echo.run(Echo.java:24)
    Line 24 in Echo.java is SSLSocket connectedSocket = (SSLSocket) socket.accept();
    I have created a keystore according to the JSSE documentation: http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore
    I have tried relative and full pathnames for javax.net.ssl.keyStore, as well as copying the keystore right into the directory with the class-files
    I have tried to set javax.net.ssl.keyStore (and javax.net.ssl.keyStorePassword) via the command line's -D switch and via System.setProperty
    After all that failed, I even tried to import the generated public key into the server's keystore as well
    No matter what I did, I always get above exception upon calling accept().
    I am using Java 6 (Java(TM) SE Runtime Environment (build 1.6.0_17-b04)) on Windows 7 64 Bit
    Any help is appreciated.

    I have created a keystore according to the JSSE documentation: http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore
    Are you sure you created a keystore with an RSA keypair, and not a DSA keypair?

  • SSL certificate doesn't work in FF only. It says "The certificate is not trusted because no issuer chain was provided."

    It is suggested here (https://support.mozilla.org/en-US/questions/1021610) to check the website on networking4all.com
    I performed the check and the results are pretty fine. See below:
    http://www.networking4all.com/en/support/tools/site+check/report/?fqdn=happydemics.com&protocol=https
    But Firefox still says it is untrusted. What's wrong with the certificate?

    hello rocketblr, the site isn't providing a full certificate chain that links the intermediate certificate that it uses to the root certificate trusted by the browser: https://www.ssllabs.com/ssltest/analyze.html?d=happydemics.com&hideResults=on&latest
    (in this case it will depend on chance/if you have visited another site which used and implemented the same intermediate certificate properly).
    please report that issue to the webmasters of this particular site...
    http://wiki.gandi.net/en/ssl/faq#what_is_an_intermediate_ssl_certificate

  • Intermediate Certificates and Yosemite Server

    After several attempts at installing my server's certificate from StartSSL, which requires an intermediate certificate, I finally have everything working except opendirectory/LDAP.  The slapd service simply refuses to send the intermediate certificate along with the server certificate on SSL/636 connections.  It is supposed to send both.
    Anyone know what I need to do to kick slapd into serving all the proper certificates in the chain like the other services (Calendar, Web Server, etc) are doing?

    Been wrestling with this myself for months. Found this on serverfault:
    http://serverfault.com/questions/653419/how-can-one-force-open-directory-server- to-provide-its-full-certificate-chain-to
    Short Answer: slapd can't send the full chain.

  • CSS11501 and intermediate certificates

    Hi,
    First : we have the following css :
    Product Name: CSS11501S-K9 F0 SW Version: 07.50.1.03
    Version: sg0750103 (07.50.1.03)
    Flash (Locked): 07.50.1.03
    Flash (Operational): 07.50.1.03
    Type: PRIMARY
    Licensed Cmd Set(s): Standard Feature Set
    I was wondering if there is a way to provide intermediate ssl certificates on the css. We used to upload the pem cert and key and this always worked. Recently we have changed to premium ssl certs from verisign and it looks like we will need to provide the intermediate certificate on the css.
    Does anybody know any reference as to how we can do this ?
    Kind regards,
    Ronny

    Hi,
    No need to look, found it on the net.
    Kind regards,
    Ronny

  • Was "VeriSign Class 3 International Server CA - G3" certificate authority removed from FF 3.6.12?

    We have a site that has a SSL certificate with this authority and now we are seeing "Untrusted connection". This was working fine with older versions of FireFox.

    It is the responsibility of websites to send all required intermediate certificates. If websites do not send them and Firefox hasn't stored them from a past visit to other websites that send them then you get then not trusted error message. Firefox is a multi platform application and every platform would require a different approach for each supported feature. That would require a lot of extra code that the devs want to avoid, even if APIs for such an enhancement (don't know about this one).
    You can also check certificates via other test sites.
    * http://www.networking4all.com/en/support/tools/site+check/
    *http://www.sslshopper.com/ssl-checker.html

  • Intermediate certificates not refreshed

    Hi,
    We have just renewed our ssl certificate with Verisign. They use an intermediate certificate so I have also updated the chain file on the server.
    The problem is that whilst firefox picks up the new site cert file, it is still using a cached version on the intermediate cert (with expiry date of 25/10/2011 instead of the new 25/10/2016).
    If I use a fresh firefox profile (or delete the cert8.db file) then the correct 2016 cert is picked up.. but I can't really expect site visitors to have to do this, and im worried that come the end of next year, people who have visited the site before and hence have the old intermediate cert, will start getting "this site is untrusted" messages from firefox.
    Anyone else come across this / have a solution?
    == URL of affected sites ==
    https://www.ruralretreats.co.uk/cert-test.txt

    Danian,
    Examine this page, it covers the details of how to do this. The section of interest to you is the box which discussed obtaining and installing the verisign intermediate cert -
    http://www.cisco.com/warp/customer/117/expired_verisign.html
    Basically you have the concept correct, but the order of certs in the chain is important.
    Peter

Maybe you are looking for