"Gervase Markham" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Melelina wrote: > > Why is the VeriSign Class 3 Secure Server CA which can be downloaded here: > > http://SVRSecure-aia.verisign.com/SVRSecure2005-aia.cer not in the Fx > > certificate store? Should this not have been added in the latest update of > > Fx (1.5.0.11)? > > The Mozilla store only includes root certificates. The VeriSign Class 3 > Secure Server CA is an intermediate certificate; it is signed by the > Verisign "Class 3 Public Primary Certification Authority" root, which is > in Firefox (and has been for some time). > > If your website uses a certificate which is signed by the one you > mention, you need to place a copy of the intermediate certificate on the > webserver also, in line with instructions provided by your server vendor > and/or by Verisign. Otherwise, Firefox will not be able to follow the > certificate chain to the root. > > IE will also have a similar problem, but only if it has never > encountered a correctly-configured web server (i.e. it caches > intermediate certs). So IE in new installs of Windows will also have the > problem. > > > Also, why am I unable to edit the cert issued to > > http://www.microsoft.ipsos.com/ which I took from IE and put in the Fx Cert > > Manager? > > I don't quite understand what you mean by "took from IE and put in the > Fx Cert Manager". Could you explain more about exactly what you did? > > > I want to trust this cert but when I use edit and click the trust > > button upon closing the Certificate Manager my edit is reversed and the do > > not trust button is chosen. > > If you want to trust this cert directly, visit the site in Firefox and > choose "Accept this certificate permanently" from the dialog which > results. The certificate will then appear in Firefox in Preferences | > Advanced tab | Encryption sub-tab | View Certificates button | Web Sites > tab. Your browser (but not anyone else's) will then visit the site in > future without error. But you would be far better off getting the server > fixed. > > Gerv
I don't have a server. I am a user who got an email from Microsoft asking me to participate in a global survey of Microsoft's customer service. I clicked on the link to the survey and Fx, being my default browser, dutifully went to the site and threw up a message that the site's cert could not be trusted and asked what I wanted to do. I have had this happen many times with Microsoft's sites and Frank Hecker's answers, not withstanding, it irritates the hell out of me and it makes Fx look stupid. This needs fixing. Average users are beginning to ask what is wrong with Fx. In this case, Opera also throws up the cannot be trusted popup but IE has no problems. I don't want to use IE and I don't want to worry that the email I got was actually a phishing email and that I will end up on a phishing site if I tell Fx to trust the cert one time. There is no dialog when I try to visit the site that would allow me to "Accept this certificate permanently" . Fx refuses to make any connection to the site because it doesn't trust the Microsoft cert and I can't change it in edit to trust. As for root certs...Verisign has stopped that. They are no more. Verisign certs are NO LONGER signed by a root authority. They have switched to an intermediate authority only. They have spent two years switching and just finished this month...hence all the problems because Fx hasn't kept up! Fx will have to incorporate this intermediate cert eventually as Verisign has finished the process to a two step cert. They are keeping the root certs for another year only for legacy reasons. I know that Fx doesn't have intermediate certs but it better change that soon and I assumed that it already had. Explain to me how Fx is going to handle Verisign 2 step certs if it won't keep the intermediate cert in the store? I don't care if Microsoft has a misconfigured server and I don't really think that is the problem. I simply want Fx to accept the cert which it should be doing. _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
