2

My situation is the following: in our corporate network a special kind of SSL certificate issued by the company itself is used. Every time I open a site via https in Firefox a warning monit is displayed saying "sec_error_unknown_issuer". In certificate details it says that this particular certificate was issued by my company, there is a company address and name and everything. It's very annoying because I need to add an exception for the invalid certificate every single time I go to an SSL encrypted site. One possible solution would be to give up SSL and use plain http when possible (there is no difference between SSL and no-SSL at the moment if the network admins handle the certificates themselves I guess) but some sites do not work without SSL, such as bank login pages. So I think the better idea would be to add the certificate to Firefox list of trusted authorities. To do this, I need to have an authority certificate. I tried to get it with the following Openssl command but to no avail:

openssl s_client -connect hostname:port

It shows one certificate but and then it stops because some certificates could not be verified and the certificate is incorrect because Firefox display an error when I try to import it. I don't remember the exact message now but it was something like "this certificate is not valid authority certificate".

I also tried to use Wireshark but can't use too good and I failed to grab what I was looking for. And as the last resort, it's impossible to disable SSL certificates validation in Firefox.

So how can I grab this local authority certificate that I could import to Firefox and stop being annoyed by the error messages?

Improve this question
4
  • 1
    IIRC It is up to your admins to place the company certificate in the list of trusted certs in all their employees systems. Ask them to do the job.
    – Jan Doggen
    Commented Jun 13, 2013 at 11:53
  • Yes, that would be the best but I don't think it will happen. There are both Windows and different varieties of Linux in use here. If they wanted to do this, they would but they will say that it doesn't pay.
    – user1042840
    Commented Jun 13, 2013 at 11:57
  • Possible duplicate of Suppress Google Chrome's "Your Connection is Not Private" for specific Address?
    – kenorb
    Commented Jan 12, 2016 at 10:08
  • Does Firefox display two certificates? A correctly configured server should not send the CA certificate, since if you trust the CA, you should already have its cert. If the server is correctly configured, there might not be a way to obtain the cert other than asking the administrators for it.
    – user2313067
    Commented Jan 12, 2016 at 15:42

4 Answers 4

Reset to default
1

If you're using corporate network or you trust the issuer, you've to import given certificate into your keychain and make it trusted for your SSL connection. To make it work for all web addresses, it needs to be Root certificate authority.

In Chrome you can basically click on padlock icon, then Connection tab, so you can see the Certificate Information which should consist CRT link in your Root (top one) certificate.

GitHub - The identity of this website has not been verified. Server's certificate is not trusted.

Once you downloaded certificate file or by the following command:

openssl s_client -connect example.com:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > foo.crt

open the file and in trusted settings make it Trust.

On OS X you can double-click on the file or drag and drop in your Keychain Access, so it'll appear in login/Certificates. Then double-click on the imported certificated and make it Always Trust for SSL (as shown below).

Keychain Access, login/Certificates - Always Trust

Now all HTTPS/SSL websites should work fine.

Improve this answer
0

Add the -showcerts option to make s_client print the entire chain.

Improve this answer
1
  • I tried this option but too Openssl just showed the first certificate between "BEGIN CERTIFICATE" and "END CERTIFICATE" that belongs to the remote site such as google.com I think and after that something about connection failure because issuer could not be verified (damm, I should keep the exact error messages with me). When I save this certificate to a file "cert.crt" and tried to import to fx trusted authorities list I got an error that it's not a correct authority certificate. I think it didn't print the certificate I am interested in.
    – user1042840
    Commented Jun 13, 2013 at 12:52
0

I am facing the same problem today, and every time I try to connect a site, all mozilla products ask for permission to add certificate. And that certificate only certifies for the specified website.

In order to add your corporate certificate into the trusted authorities, go to Control Panel -> Internet Options -> Content -> Certificates -> Trusted Root Certification Authorities

And a list appears there. Find your corporate certificate, and export it to a file, with wizard's default options.

After that open firefox, Options -> Advanced -> View Certificates -> Authorities -> Import

Select the file that you have exported, and check all the trust options.

Now you will be able to connect all the websites.

Improve this answer
0

If you can't get the certificate of the corporate web proxy, add your own local proxy (e.g., Burp Suite proxy) between the browser and corporate proxy, and install the local proxy's certificate in your browser. Configure your browser to use the local proxy (Options -> Advanced -> Network -> Connection Settings). The browser then only sees certificates issued by your local proxy, which is trusted, and you see no errors in the browser.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .