PDA

View Full Version : sec_error_unknown_issuer ssl certs and browsers



port80
09-08-2008, 12:15 PM
I am very concerned.

I setup a CAcert ssl cert today. It has always given a warning since it is not bundled with the major browsers as a default root CA.

Today, it gave the normal warning in Opera, but was completely denied by both Firefox 3, and IE. (FireFox 3 is giving the "sec_error_unknown_issuer" error.)

While this difference in results suggests a browser level issue, I am praying it is something else that can be fixed by some kind of server configurations or as part of the certificate creation process.

I was depending on the CAcert ssl to secure certain logins and other areas of some web sites. (No e-commerce, for that, there is paypal and payment gateways.) The non e-commerce ssl is still an important function that I had depended on CAcert for the solution.

Can anyone shed light on this?

Thank you.
-Mike

port80
09-08-2008, 01:24 PM
I have done some further research.

I don't know for IE, but for Firefox, it appears that CAcert has failed to meet the latest Mozilla CA Certificate Policy (Version 1.2). See http://www.mozilla.org/projects/security/certs/policy/

It is talked about here: http://preview.tinyurl.com/64pyn6

I can understand the reasoning, but it leaves me (and I am sure many others) with a real problem. I need the ability to deploy SSL secured areas (ideally with subdomain wildcarding), without paying for a commercial Certificate Authority every time. There are a TON of non-commercial uses for SSL.

Is anyone aware of a free solution that will not be denied by Mozilla's new security measures? (The old style warnings would be acceptable.)

-Mike

nventurella
10-01-2008, 01:57 PM
As CAcert is not a recognized certificate authority in most web browsers, your only choices are the two you've already mentioned: have users add an exception to their browser and allow the unrecognized certificate (your site will still be secure), or purchase a certificate from a recognized certificate authority.