I have a server running on my internal network. For SSL support, I have set up an internal CA (using OpenSSL) and issued a certificate for the server. The certificate chain is as follows:
Example Root CA V1
+-- server.example.com
I installed the server certificate on the server and imported the root certificate in Firefox, and this has worked so far.
Since the root certificate is about to expire, I decided to set up an entirely new CA with a deeper hierarchy:
Example Root CA V2
+-- Example Signing CA V2
+-- server.example.com
I also created a user certificate, signed by the signing CA.
I then added the user certificate in Firefox. The new root CA shows under Authorities and the intermediate certificate (Signing CA) shows under Others. For the root cert, I’ve set all three check marks in Edit Trust.
Next I updated the certificate on the server. When I now try to connect to the server, Firefox complains that the connection is not secure:
server.example.com uses an invalid security certificate.
The certificate is not trusted because it was issued by an invalid CA certificate.
Error code: SEC_ERROR_CA_CERT_INVALID
Clicking on the error code gives me:
https://server.example.com/
Issuer certificate is invalid.
HTTP Strict Transport Security: true
HTTP Public Key Pinning: false
Certificate chain:
followed by the server cert, the intermediate CA cert and the root CA cert.
The server runs ownCloud and Webmin; so far I've only replaced the Webmin certficate. Firefox is version 50.1.0.
What is wrong here?