Getting Rid of "Web Site Certified By an Unknown Authority" Messages
Published By: Doug Hughes on Oct 31, 2005 at 9:02 PM
Times Viewed: 23173
Categories: None
Earlier today I announced FloridaVacationAuction.com. Shortly thereafter an astute reader pointed out that there was a problem with the site's SSL certificate in FireFox. Figures, doesn't it?
Well, to be honest, I knew about the problem. The site was moved to one of my servers temporarily to avoid downtime due to Hurricane Wilma. As a part of this temporary move I exported the site's SSL certificate using the built-in mechanism in IIS 6.
Unfortunately, after moving the SSL certificate, visitors using FireFox who were prompted with a message which read "Unable to verify the identity of www.floridavacationauction.com as a trusted site." Because the server move is temporary and because not many of our visitors are using FireFox (yet) I decided to look the other way.
Well, of course, seeing as I blogged about the site today, a technical user ran into the problem and dropped me a message. This prompted me to get off my but and fix the problem, which I did.
Typically an error message like this indicates either that you're using a self signed certificate or that you are accessing site from a different URL than the SSL certificate was issued for. For instance, in my case a possible cause may have been that I was accessing the site at floridavacationauction.com, without the "www". Neither of these scenarios was true. In fact, I was on the correct URL and the certificate was issued by Verisign.
A little crafty Googleing turned up a page which indicated that the problem might be related to a missing certificate for an intermediate CA (certificate authority). I don't know much about this, but it seems that there is one root authority which bestows permission on other companies to sign certificates. This process forms a chain of trust which your browser verifies.
Unfortunately, it seemed that FireFox didn't recognize one of the intermediate CAs and was showing that error as a result. By searching around on Verisign's website I found their intermediate CA certificates. Unfortunately the instructions they provided to import it were not correct (or I couldn't get them to work).
I did a little more searching and found some instructions (on a competitor's website!). What follow are what I actually did to import the certificate into Windows Server 20003. I assume the process will be the same for Server 2000.
- Copy the certificate into a file named verisign.cer on your web server. This name is arbitrary.
- Click Start > Run and type MMC. This opens the Microsoft Management Console.
- Click File > Add Remove Snap-in. This opens the Add/Remove Snap-in window.
- In the resulting window click Add. This opens the Add Standalone Snap-in window.
- In this window find the Certificates snap-in. Select it and click Add.
- Select Computer account and click Next.
- Select Local computer and click Finish.
- Click Close and then Ok. Now you'll see the Certificates snap-in in the MMC.
- Expand the Certificates node, right click on Trusted Root Certification Authorities and select All Tasks > Import...
- Click Next then select the .cer file on the desktop and click Next again.
- The next step in the wizard should indicate that the certificates will be placed in the Trusted Root Certification Authorities. If so, click next. If not, fix it.
- Click Finish. You should get a message saying that the import was successful. If so, you're done!
I'm pretty sure you could also just right click on the .cer file and click Install Certificate. From this click though, but be sure to select the Trusted Certificates store.
Either way, once you're done the error message should go away in FireFox.
Thanks for posting this, it helped me with a similar issue I was having with Firefox and Apache. I ended up following Verisign's instructions at http://www.verisign.com/support/ssl-certificates-support/install-ssl-certificate.html .
Posted By: Grig Gheorghiu on Dec 6, 2005
i did the same. but it didnt work.
what is other way possible to solve the issue ?
regards
bhavin shah
Posted By: bhavin on Jan 4, 2006
Worked like a charm! I had this issue with Firefox and IE on Windows as well as Safari on Mac OS X after moving my SSL cert from an old NT 4.0 server to a new Windows Server 2003 Web Ed. That move wasn't as smooth as Verisign instructions would lead one to believe, but I made it. Doug's fix was the last thing I needed to do. The only thing I had to add was Step 13 - Stop/Start site in IIS. Thanks Doug!
Posted By: Justin on Aug 8, 2006
bhavin, at first these instructions didn't work for me, either.
It turned out that my SSL certificate was not issued by verisign, so installing their intermediate CA did nothing to affect the problem.
You'll need to get the intermediate CA from the place who generated the certificate. After installing that, your problems should go away.
My certificate was provided by starfield, and you can download their intermediate from here: https://certificates.starfieldtech.com/Repository.go%3bjsessionid=A5A8BBE0DCC3C30085CEFA149746DDEF
Thanks Doug for the wonderful instructions.
Posted By: Jeff houser on Nov 7, 2006
It worked like magic and saved my bacon.
Thanks Doug!
Posted By: Zuno on Mar 12, 2007
I am experiencing this issue in Firefox only. My intermediate certificates have been installed and are working properly in IE. Any ideas why this may be happening?
Posted By: Tom on Mar 27, 2007
works like a champ. I had recently changed certificates issued by Thawte to Verisign and forgot to include the SSLCACertificateFile directive in the apache config file. Once I did that and pointed it at the right intermediate CA cert, and bounced apache, all works now. Only Firefox users were complaining about this, IE users worked fine. Thanks!
Posted By: Dave on Apr 10, 2007
Hi, is the problem related to Firefox only? I am facing the similar problem in Firefox but its working in IE without any error...
Posted By: Gobinda Paramanik on Apr 12, 2007
Thanks for posting this information. Neither GoDaddy nor my host would believe me when I told them I was getting this error. IE 7 has the problem for me also on Win XP.
Posted By: m2guru on May 8, 2007
Here is a link to GoDaddy's repository
https://certificates.godaddy.com/Repository.go
Posted By: m2guru on May 8, 2007
We went through the issues and problems associated with this situation and had no luck after following all the instructions we found everywhere. Finally, I called Verisign support and we got it cleared up quickly.
In the MMC Certificate Manager, under the Trusted Root Certificate Authorities, see if you have a Verisign Class 3 Public Primary Certification Authority - G3 certificate with an expiration date of 7/11/2036 that has an intended purpose of Server Authentication.
If you ALSO have one named the same for Code Signing, etc then delete the one for Server Authentication but leave the one for code signing.
We removed that (and you can always back it up) and then things worked fine.
They said it was because Firefox gets confused with the chain of authority and sometimes that cert gets in the root when another one works fine in its place. Or something like that. The stupid thing works now so I stopped caring to a degree!
Posted By: Orajen on Jul 30, 2007
We went through the issues and problems associated with this situation and had no luck after following all the instructions we found everywhere. Finally, I called Verisign support and we got it cleared up quickly.
In the MMC Certificate Manager, under the Trusted Root Certificate Authorities, see if you have a Verisign Class 3 Public Primary Certification Authority - G3 certificate with an expiration date of 7/11/2036 that has an intended purpose of Server Authentication.
If you ALSO have one named the same for Code Signing, etc then delete the one for Server Authentication but leave the one for code signing.
We removed that (and you can always back it up) and then things worked fine.
They said it was because Firefox gets confused with the chain of authority and sometimes that cert gets in the root when another one works fine in its place. Or something like that. The stupid thing works now so I stopped caring to a degree!
Posted By: Orajen on Jul 30, 2007
Worked like a charm.
Posted By: Aaron Corcoran on Aug 21, 2007
Worked for me. I have IIS6 on W2K3 R1, and IE7/IE6 worked - but FF prompted me. SSL provider is GoDaddy.
Using your instructions was only the first step. And a comment above mentions a Step 13, stop and restart the website in IIS for the changes to take effect.
Unfortunantly, m2guru's comment above is correct. You must install another Intermediate Certificate for GoDaddy to get it working. Again, the link m2guru was so kind to post, that has all of GoDaddy's intermediate certs, is:
https://certs.godaddy.com/Repository.go
Since I had the cheapest ssl they offer, I downloaded and installed "Go Daddy PKCS7 Certificate Intermediates Bundle (for Windows IIS)" from that link.
To install it, follow the instructions on this page exactly. Except, when it asks you to Browse to the p7b, you won't be able to see the file. You will have to change the "Files of type" filter to "PKCS #7 Certificates (*.spc,*.p7b). Then you can select the gd_iis_intermediates.p7b file you downloaded.
And, don't forget Step 13: stop and start the website in IIS in question - or a full IISRESET if you aren't running any other sites.
Posted By: eduncan911.com on May 8, 2008
Ok, I've written up GoDaddy instructions here.
And, i've added pics to your instructions. :)
http://eduncan911.com/archive/2008/05/09/getting-godaddy-ssls-working-in-firefox-on-iis.aspx
Posted By: eduncan911.com on May 9, 2008
Thanks, that did the trick. Only thing I had to was restart IIS afterwards.
Posted By: Mun on May 30, 2008