iis – 证书不受信任,因为颁发者证书未知. | 错误代码：sec_error_unknown_issuerFirefox

网站希望将SSL证书从Network Solutions切换到Gandi.似乎所有东西都安装正确,只是在Firefox中引发了错误.在Chrome和IE上,没有错误被抛出.看来认证路径有问题.我尝试了一些东西并用Google搜索,但问题不会消失.任何提示将不胜感激.先感谢您！

尝试的步骤：

>按照http://wiki.gandi.net/en/ssl/intermediate(SHA2标准证书)的指示从Gandi获得Gandi中级证书
>将Gandi中间证书添加到服务器(MMC>证书>中级证书颁发机构>证书)
> USERTRust在https://ssl-tools.net/certificates/1y0ovx5-usertrust-rsa-certification-authority从SSL-Tools获得的RSA证书颁发机构证书
>将USERTrust RSA证书颁发机构证书添加到服务器(MMC>证书>受信任的根证书颁发机构>证书)
>每次安装后重新启动IIS.
>每次安装后清除本地浏览器缓存.

Firefox错误：

Technical Detailswww.somedomain.org uses an invalid security certificate.The certificate is not trusted because the issuer certificate is unknown.(Error code: sec_error_unknown_issuer)

Firefox 34证书Heirarchy：

Gandi Standard SSL CA 2 > somedomain.org

Chrome 40和Internet Explorer 11认证路径：

USERTRust > USERTrust RSA Certification Authority > Gandi Standard SSL CA 2 > somedomain.org

SSL实验室测试结果(https://www.ssllabs.com/ssltest/analyze.html)：

Additional Certificates (if supplied)Certificates provided   2 (2851 bytes)Chain issues    Incomplete#2Subject Gandi Standard SSL CA 2 Fingerprint: 247106a405b288a46e70a0262717162d0903e734Valid until Wed Sep 11 16:59:59 PDT 2024 (expires in 9 years and 8 months)Key RSA 2048 bits (e 65537)Issuer  USERTrust RSA Certification AuthoritySignature algorithm SHA384withRSACertification Paths1   Sent by server  somedomain.org Fingerprint: 0123456789012345678901234567890123456789 RSA 2048 bits (e 65537) / SHA256withRSA2   Sent by server  Gandi Standard SSL CA 2 Fingerprint: 247106a405b288a46e70a0262717162d0903e734 RSA 2048 bits (e 65537) / SHA384withRSA3   Extra download  USERTrust RSA Certification Authority Fingerprint: eab040689a0d805b5d6fd654fc168cff00b78be3 RSA 4096 bits (e 65537) / SHA384withRSA4   In trust store  AddTrust External CA Root   Self-signed Fingerprint: 02faf3e291435468607857694df5e45b68851868 RSA 2048 bits (e 65537) / SHA1withRSA Weak or insecure signature, but no impact on root certificate

SSL-Tools测试结果(https://ssl-tools.net/webservers/)：

Certificate chainsomedomain.org 1054 days remaining  2048 bit sha256WithRSAEncryption- Gandi Standard SSL CA 2- 3537 days remaining  2048 bit sha384WithRSAEncryption- Root certificate unknown-- USERTrust RSA Certification Authority

服务器：

> Windows Server 2008 R2
> IIS 7.5

“USERTrust RSA证书颁发机构”未被视为所有平台上的根CA.因此,最好的选择是将其用作中间CA,具有由“AddTrust External CA Root”签名的证书.

您可以在http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt检索此证书

您的证书的正确安装(大多数接受)是：

>根店

> AddTrust外部CA根

>中级商店

> USERTrust RSA认证机构(由AddTrust签署)
> Gandi标准SSL CA 2

>个人商店

> [您的服务器证书]

Windows Server 2008 R2管理自动受信任的证书,因此您的服务器可以进行下一个配置：

>根店

> AddTrust外部CA根
> USERTrust RSA认证机构(自签名)

>中级商店

> USERTrust RSA认证机构(由AddTrust签署)
> Gandi标准SSL CA 2

>个人商店

> [您的服务器证书]

当服务器发送证书时,它会选择到root的最短路径：

> [服务器]<甘地< USERTrust(自签名)
对于大多数平台而言,这是一个不完整的链.

如果这是您的问题,最好的解决方案是在根存储上找到“USERTrust RSACertification Authority”并将其属性编辑为“禁用此证书的所有用途”.

重新启动服务器后,Windows将始终生成所需的链：

> [服务器]<甘地< USERTrust< AddTrust