Saturday, February 02, 2013 11:11 PM
I have some questions about certificates:
What is the difference between certificate principal name and subject alternative name?
I have issued a certificate on 2003 server certification authority (using exchange server wizard), the certificate was used with outlook web app, Internet explorer and Chrome both accept the certificate but firefox give me the following warning: The certificate is not trusted because no issuer chain was provided. Error code: sec_error_unknown_issuer
What would cause like this issue? What means "no issuer chain was provided"? My PKI contains only one level (entreprise root CA).
Sunday, February 03, 2013 2:50 AM
the certificate principal name (aka certificate subject name) is the primary name of a certificate and contains in most cases at least a common name of a server (cn=www.domain.com) or of a user (cn=Lutz Hipper, email@example.com). The subject alternative name is an alternative name of a server or user. For example if a server should be reachable under autodiscover.domain.com and mail.domain.com. Then the subject name attribute contains mail.domain.com and in the subject alternative name (SAN) attribute you have both: autodiscover.domain.com and mail.domain.com.
About the second part of your question. Part of the certofocate status verification is chain building, from the issued certificate to the root ca. if you have only one CA as root and issuing CA then the chain is short. All systems in your environment who need to trust certificates from your root CA need to have the root CA certificate installed. With Active Directory it is easy to do vai certutil.exe -f -dspublish rootca.cer RootCA. That way all machines in Active Directory will get the Root CA cert installed with the group policy update (during reboot or every approx 90 minutes (default GPO update interval)). On all other machines you need to do this manually via MMC or also using certutil: certutil.exe -f -addstore Root Rootca.cer
Sunday, February 03, 2013 9:41 AM
Thank you LutzMH for your answer.
Concerning the second part: It is an entrprise CA which means that domain members shoud trust my CA after applying gpupdate. As I mentionned I have no problem when using IE or Chrome. Have only this issue(The certificate is not trusted because no issuer chain was provided. Error code: sec_error_unknown_issuer) with Firefox. Any suggestion.
Sunday, February 03, 2013 5:08 PM
Firefox has it's own certificate store and therefor you need to import the root CA cert to Firefox separately.
- Go to the Firefox Options menu
- Go to the Advanced tab
- Go to the Encryption tab
- Click on View Certificates
- Go to the Authorities tab
- Click Import to import your rootca.cer
Monday, February 04, 2013 4:24 AM
the last answer from LutzMH will resolved your issue, but if you have many machine using Firefox , this is also possible to push your Root certificate
in the Firefox TrustedStore via GPO with the right admx or via powershell script too.