Cagdas wrote, On 2008-09-09 23:41: > We have a problem about the trust issues with Mozilla Firefox 3. Even > though there was a correct configuration on Apache2 web server, > Firefox 3 cannot recognize our root certificates. The error code is > "sec_error_unknown_issuer". The target web site is: > https://www.elele.org.tr/elele.php?id=101 > > Yet we are quite sure that server configuration is suitable with the > one that Firefox wants:
There are several problems with the certificate that your server is sending out. 1. Your certificate was issued by a CA that is not a known and trusted root CA in Firefox. It was issued by: > O = TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş. (c) Haziran > 2006 > C = TR > CN = TÜRKTRUST Elektronik Sunucu Sertifikası Hizmetleri The Turktrust root CA certs known in Firefox have these names: > O = (c) 2005 TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş. > L = ANKARA > C = TR > CN = TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı and > O = TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş. (c) Kasım > 2005 > L = Ankara > C = TR > CN = TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı There is a third Turktrust root CA certificate that has not yet been accepted into Firefox. Its name is: > O = TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş. (c) Aralık > 2007 > L = Ankara > C = TR > CN = TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı As you can see, the issuer name in your cert does not match any of the above known Turktrust root CAs. Therefore, your cert was probably not issued by a root CA, but by a subordinate CA, subordinate to one of the two Turktrust roots. In that case, you need to configure your server to send out the CA certificates for the subordinate CA(s) in addition to your server's cert. Turktrust should have explained this to you. If they did not, please contact them. It is also possible that your cert was issued by a root CA that is unknown to us, one for which no application has yet been made to include it into Firefox. In that case, Turktrust should apply to have that root CA also included in Firefox. _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
