“Untrusted Connection” error in Firefox & Intermediate Certificates
There are many reasons why you may see an SSL error, some of which will vary by browser. Even if the SSL certificate is installed correctly, you are not necessarily in the clear. One of our password reset customers experienced the dreaded “Untrusted connection” error when browsing to the password reset web on their Android device. We reproduced the condition using Firefox, but the same could not be reproduced in Chrome, IE, or Edge. So, what gives?
Firefox displays the aforementioned error if the server does not send a required intermediate certificate. Firefox uses a different certificate store than Chrome, IE, and Edge. The latter use the Windows certificate store, while Firefox uses its own. This means that Chrome, IE, and Edge have the certificates needed to complete the chain of trust from your certificate back to the root certificate, even if the intermediate certificate is not present. Firefox is unable to complete the chain without the intermediate certificate.
We confirmed the issue using digicert’s certificate tool (https://www.digicert.com/help/). The customer simply needed to install the intermediate certificate on their web server using Certificates MMC, and add it to the Local Computer store in the Intermediate Certification Authorities folder.
If the web server is being published to the internet via a reverse proxy, e.g. Citrix Netscaler, Sophos UTM etc., the intermediate certificate should also be installed on those systems as well.
If the intermediate certificate is not installed into Firefox’s Certificate manager, or has not been installed in the correct store on the webserver or reverse proxy, then the client browser/system will not trust that connection, as it cannot complete the certificate chain. The screenshot below shows that the certificate has been correctly installed in the Firefox cert store.
If all the steps have been completed correctly, you will no longer see the warning page on Firefox.
(Last updated on August 2, 2018)