The online FAQ database contains hundreds of answers to frequently asked questions, articles on using our web server applications and other related technologies, and resolutions to common problems. If you are seeing an error message, be sure to try searching on the error message or error number that you are seeing.

FAQ Home > Web Server Installation and Maintenance
Web Site Certified By an Unknown Authority
Created: 9/9/2008    Updated: 9/9/2008

Mail Item to a Friend
Question Some versions of Firefox browser display a warning message “Web Site Certified By an Unknown Authority” even though I do have a certificate installed on my site from a trusted public Certificate Authority. What causes this?
Answer Typically this message would be displayed by the browser if a certificate is installed is either:
  1. A self signed certificate or certificate issued by a non-recognized Certificate Authority.
  2. A certificate installed on an incorrect site (the URL of the site does not match the URL the certificate was issued for).
In these circumstances, the warning would normally show up on all versions of the browser and the fix is simple. In the first case, you need to obtain a certificate from a recognized public Certificate Authority. In the second case, you need to make sure the certificate installed on the site is the actual correct certificate you should be using. An easy mistake to make here is assuming that the URL https://www.mysite.com and https://mysite.com are equivalent. For most certificates, this is not correct. If the certificate was issued for one variation of this URL, you must use that variation and only that one throughout your site or else you will run into these types of warnings.

In some other circumstances, a certificate may actually use an Intermediate Certificate in establishing its verification path. If there is a problem with an installed Intermediate Certificate, then this same kind of warning would appear making it look like the problem was with your certificate and not being obvious the problem is actually with the Intermediate Certificate. This can occur if it is something as simple as the Intermediate Certificate expiring; the Intermediate Certificate being revoked or reissued by its originating Certificate Authority; or even if the Intermediate Certificate was accidentally deleted on the webserver. In any of these types of cases, the resolution is pretty straightforward. The proper Intermediate Certificate must be (re)installed on the webserver in order for the dependent certificate to not be subject to these warnings.

The only trick to this is determining the proper Intermediate Certificates which may need to be installed. The Certificate Authority you used to create your site certificate should be able to provide you with the proper Intermediate Certificates. However, here is a list of a few downloadable certificates for some popular Intermediate Certificate issuers.

GoDaddy
https://certs.godaddy.com/Repository.go
Scroll down and use the bundle of Intermediate Certificates.

Thawte
http://www.thawte.com/roots/index.html


Verisign
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR657
They have different Intermediate Certificates depending on the type of certificate installed on the site.


Starfield Technologies (used by multiple Certificate Issuers)
https://certs.starfieldtech.com/Repository.go
Scroll down and use the bundle of Intermediate Certificates.


Note: If any of the sources have multiple Intermediate Certificates and you are not sure which one(s) you need to install, it will not hurt anything at all to install all of them. An installed certificate consumes extremely little space and has no significant impact on system resources if it is not needed.

To install the Intermediate Certificates on the webserver, you need console level access to the server. Login to the server with administrative access and follow the steps below.
  1. Copy the certificate file(s) to your webserver. The filename of the certificate file is arbitrary, but would need to be extracted first if supplied in a ZIP or other compressed file or archive.
  2. Click the START menu and select RUN. Type in MMC and click OK. This will launch the Microsoft Management Console.
  3. In the MMC, click FILE menu and select ADD/REMOVE SNAP-IN.
  4. In the window, click the ADD button.
  5. In the list of snap-ins, scroll down and select CERTIFICATES and click the ADD button.
  6. You will be prompted for the account type. Select COMPUTER ACCOUNT and click the FINISH button.
  7. You will be prompted for the computer to manage. Select LOCAL COMPUTER and click the FINISH button.
  8. You will be returned to the list of snap-ins. Just click the CLOSE button.
  9. You will be returned to the Add/Remove window. Just click the OK button.
  10. You will now be shown the Certificates MMC snap-in which will display a tree of certificates in the left pane. Expand the CERTIFICATES node and you will see a list of additional nodes.
  11. RIGHT CLICK on the INTERMEDIATE CERTIFICATION AUTHORITIES node and from the pop-up menu select ALL TASKS / IMPORT.
  12. A certificate import wizard will display, and click NEXT button to get to the option that allows you to pick the file to import. Click BROWSE and locate the file(s) from #1. You may need to change the FILES OF TYPE option to ALL FILES depending on the extension of the filename on your certificate files. Pick the file and click OPEN and you will be returned to the wizard where you want to click NEXT.
  13. Here you will be given the option to choose where to place the imported certificate(s). The Certificate Store should default to INTERMEDIATE CERTIFICATION AUTHORITIES. If it does not, click the BROWSE button and select it from the list and click NEXT. You will be shown a summary of the options you just chose and when you are ready you can click the FINISH button. It should report the import as successful.
  14. Once your import is complete, you will need to force IIS to reload the updated certificate chains. You can either just restart the server, or for a quicker option, just stop and then restart the webserver service (“World Wide Web Publishing Service”). You can do that from the command line using the NET STOP and NET START commands or the Services applet in Control Panel.

FAQ Home  |  Search FAQ  |  Show New Items