Hi Michael, Your webservers should also include the intermediate certificate. See https://wiki.mozilla.org/CA:FAQ#Why_does_SSL_handshake_fail_due_to_missing_intermediate_certificate.3F
I have seen following behavior also: As soon as you browse to a webserver which properly “sent the certificate chain” (includes the intermediate) and the browser trusted that URL, the intermediate certificate will be cached in the profile. Now the browser can establish a SSL session also with the webservers which do not send the certificate chain. Some of my notes: How to verify a webserver sends the corrects certificates On any machine which has openssl installed, run this command and replace the hostname.domainname and port to match your webserver address: openssl s_client -showcerts -connect hostname.domainname:443 Assuming an intermediate certificate is required, a properly configured webserver would return at least two certificates. Every certificate listed also displays the issuer of the certificate (issuer line i:). In most cases at least one of the certificates should be issued by some kind of “Root CA” (the intermediate certificate is usually issued by a root ca). In the following example two certificates are published by the webserver: the webserver certificate itself AND the intermediate certificate. [root@myserver ~]# openssl s_client -showcerts -connect hostname.domainname:8444 […] Certificate chain 0 s:/O=My Company/CN=hostname.domainname i:/C=DE/O=My Company/OU=Infrastructure/CN=My Private SSL CA […] 1 s:/C=DE/O=My Company/OU=Infrastructure/CN=My Private SSL CA i:/C=DE/O=My Company/OU=Infrastructure/CN=My Private Root CA […] Bruno From: Enterprise [mailto:[email protected]] On Behalf Of Michael Haase Sent: Monday, March 20, 2017 11:05 AM To: [email protected] Subject: [Mozilla Enterprise] Windows Enterprise Root Certificates Hi, With Firefox 52 released, the option ENTERPRISE_ROOT_CERTIFICATES is now visible in about:config (and therefore we have it enabled via GPO with FirefoxCE) and I tested again with this value enabled (both FirefoxCE and normal Mozilla Firefox 52). Our intranet site is not trusted. In my previous test about 8 weeks ago with a portable alpha version, it had been working. I found out that besides the root certificate also the intermediate certificate needs to be in root store, then it works with FF52. I am sure that it worked before without adding our own intermediate certificate to root store, too. Anybody else tried this and can confirm a changed behavior? Thanks, Michael
_______________________________________________ Enterprise mailing list [email protected] https://mail.mozilla.org/listinfo/enterprise To unsubscribe from this list, please visit https://mail.mozilla.org/listinfo/enterprise or send an email to [email protected] with a subject of "unsubscribe"
