Join the Mozilla’s Test Days event from Dec 2–8 to test the new Firefox address bar on Firefox Beta 134 and get a chance to win Mozilla swag vouchers! 🎁

搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

Firefox Displays "Peer's certificate has an invalid signature." SubCA shows "Could not trust this certificate for unknown reasons"

  • 3 个回答
  • 17 人有此问题
  • 1 次查看
  • 最后回复者为 khetheri

more options

Using a 2-tier on-premise PKI. Offline Root CA (Standalone Windows 2008 R2 Enterprise) and online SubCA for issuing certificates (Domain-Joined Issuing CA)

ROOTCA certificate installed in the store and showing trusted (Uses a SHA2 signature and PKCS #1 SHA-256 With RSA Encryption algorithm)

ISSUINGCA certificate installed in the store and showing "Could not trust for unknown reasons" also has SHA2 signature with RSASSA-PSS algorithm

Issued certificate is for a Lync Front-End Web Server and when attempts are made to load the secure web connection. I receive the error "Peer's certificate has an invalid signature"

I've completely de-installed and re-installed Firefox. Removed and re-added the ROOT and SUBCA certs. Note: No issues when using same certs in Internet Explorer 8, 9 or 10 on the same system. Lync client also using same certificates, no issues. Only when accessing the Lync Web Services from Firefox. Question: Does Firefox NSS Internal PCKS#11 Module support RSASSA-PSS SHA-256 with different hashes? How can I troubleshoot this further?

Using a 2-tier on-premise PKI. Offline Root CA (Standalone Windows 2008 R2 Enterprise) and online SubCA for issuing certificates (Domain-Joined Issuing CA) ROOTCA certificate installed in the store and showing trusted (Uses a SHA2 signature and PKCS #1 SHA-256 With RSA Encryption algorithm) ISSUINGCA certificate installed in the store and showing "Could not trust for unknown reasons" also has SHA2 signature with RSASSA-PSS algorithm Issued certificate is for a Lync Front-End Web Server and when attempts are made to load the secure web connection. I receive the error "Peer's certificate has an invalid signature" I've completely de-installed and re-installed Firefox. Removed and re-added the ROOT and SUBCA certs. Note: No issues when using same certs in Internet Explorer 8, 9 or 10 on the same system. Lync client also using same certificates, no issues. Only when accessing the Lync Web Services from Firefox. Question: Does Firefox NSS Internal PCKS#11 Module support RSASSA-PSS SHA-256 with different hashes? How can I troubleshoot this further?

被采纳的解决方案

I finally found the issue. The ROOT CA had the following registry key setup when the SubCA cert was issued:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\IssuingCA\CSP\AlternateSignatureAlgorithm = 1

This cause the ROOT CA to issue the cert with a signature encrypted with RSASSA-PSS (1.2.840.113549.1.1.10) algorithm.

This alternate signature algorithm is apparently not supported for use with Firefox 27.0

I changed the registry value on the ROOT CA to a value of 0. Renewed the IssuingCA cert(using the same private key) which is now showing with the sha256RSA encryption. I re-issued all my failing web certificates which are now using this new issuing CA chain without issue.

定位到答案原位置 👍 5

所有回复 (3)

more options

HI khetheri,

In order to better test the certificate may we request the certificate without the private keys? I have some backup from the security team if this is possible.

There is a temporary work around as well but I don't recommend turning on all certificates to make sure it is not a compatibility error(ish) It is possible to check if it is being detected as a bad certificate in Firefox itself to eliminate compatibility issues.

# In the Location bar, type about:config and press Enter. The about:config "This might void your warranty!" warning page may appear. 
  1. Click I'll be careful, I promise!, to continue to the about:config page.
  2. Search for browser.xul.error_pages.expert_bad_cert and set it to true to try the certificate normally.

Looking forward to your reply!

more options

rmcguigan,

Thanks for the suggestion. I had actuially already tried this. I neglected to say so in the write-up. However, the result was the same.

Regards, Khetheri

more options

选择的解决方案

I finally found the issue. The ROOT CA had the following registry key setup when the SubCA cert was issued:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\IssuingCA\CSP\AlternateSignatureAlgorithm = 1

This cause the ROOT CA to issue the cert with a signature encrypted with RSASSA-PSS (1.2.840.113549.1.1.10) algorithm.

This alternate signature algorithm is apparently not supported for use with Firefox 27.0

I changed the registry value on the ROOT CA to a value of 0. Renewed the IssuingCA cert(using the same private key) which is now showing with the sha256RSA encryption. I re-issued all my failing web certificates which are now using this new issuing CA chain without issue.