We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Firefox Displays "Peer's certificate has an invalid signature." SubCA shows "Could not trust this certificate for unknown reasons"

  • 3 replies
  • 17 have this problem
  • 1 view
  • Last reply by khetheri

more options

Using a 2-tier on-premise PKI. Offline Root CA (Standalone Windows 2008 R2 Enterprise) and online SubCA for issuing certificates (Domain-Joined Issuing CA)

ROOTCA certificate installed in the store and showing trusted (Uses a SHA2 signature and PKCS #1 SHA-256 With RSA Encryption algorithm)

ISSUINGCA certificate installed in the store and showing "Could not trust for unknown reasons" also has SHA2 signature with RSASSA-PSS algorithm

Issued certificate is for a Lync Front-End Web Server and when attempts are made to load the secure web connection. I receive the error "Peer's certificate has an invalid signature"

I've completely de-installed and re-installed Firefox. Removed and re-added the ROOT and SUBCA certs. Note: No issues when using same certs in Internet Explorer 8, 9 or 10 on the same system. Lync client also using same certificates, no issues. Only when accessing the Lync Web Services from Firefox. Question: Does Firefox NSS Internal PCKS#11 Module support RSASSA-PSS SHA-256 with different hashes? How can I troubleshoot this further?

Using a 2-tier on-premise PKI. Offline Root CA (Standalone Windows 2008 R2 Enterprise) and online SubCA for issuing certificates (Domain-Joined Issuing CA) ROOTCA certificate installed in the store and showing trusted (Uses a SHA2 signature and PKCS #1 SHA-256 With RSA Encryption algorithm) ISSUINGCA certificate installed in the store and showing "Could not trust for unknown reasons" also has SHA2 signature with RSASSA-PSS algorithm Issued certificate is for a Lync Front-End Web Server and when attempts are made to load the secure web connection. I receive the error "Peer's certificate has an invalid signature" I've completely de-installed and re-installed Firefox. Removed and re-added the ROOT and SUBCA certs. Note: No issues when using same certs in Internet Explorer 8, 9 or 10 on the same system. Lync client also using same certificates, no issues. Only when accessing the Lync Web Services from Firefox. Question: Does Firefox NSS Internal PCKS#11 Module support RSASSA-PSS SHA-256 with different hashes? How can I troubleshoot this further?

Chosen solution

I finally found the issue. The ROOT CA had the following registry key setup when the SubCA cert was issued:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\IssuingCA\CSP\AlternateSignatureAlgorithm = 1

This cause the ROOT CA to issue the cert with a signature encrypted with RSASSA-PSS (1.2.840.113549.1.1.10) algorithm.

This alternate signature algorithm is apparently not supported for use with Firefox 27.0

I changed the registry value on the ROOT CA to a value of 0. Renewed the IssuingCA cert(using the same private key) which is now showing with the sha256RSA encryption. I re-issued all my failing web certificates which are now using this new issuing CA chain without issue.

Read this answer in context 👍 5

All Replies (3)

more options

HI khetheri,

In order to better test the certificate may we request the certificate without the private keys? I have some backup from the security team if this is possible.

There is a temporary work around as well but I don't recommend turning on all certificates to make sure it is not a compatibility error(ish) It is possible to check if it is being detected as a bad certificate in Firefox itself to eliminate compatibility issues.

# In the Location bar, type about:config and press Enter. The about:config "This might void your warranty!" warning page may appear. 
  1. Click I'll be careful, I promise!, to continue to the about:config page.
  2. Search for browser.xul.error_pages.expert_bad_cert and set it to true to try the certificate normally.

Looking forward to your reply!

more options

rmcguigan,

Thanks for the suggestion. I had actuially already tried this. I neglected to say so in the write-up. However, the result was the same.

Regards, Khetheri

more options

Chosen Solution

I finally found the issue. The ROOT CA had the following registry key setup when the SubCA cert was issued:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\IssuingCA\CSP\AlternateSignatureAlgorithm = 1

This cause the ROOT CA to issue the cert with a signature encrypted with RSASSA-PSS (1.2.840.113549.1.1.10) algorithm.

This alternate signature algorithm is apparently not supported for use with Firefox 27.0

I changed the registry value on the ROOT CA to a value of 0. Renewed the IssuingCA cert(using the same private key) which is now showing with the sha256RSA encryption. I re-issued all my failing web certificates which are now using this new issuing CA chain without issue.