I'm in the process of transitioning our internal hardware (like switches and routers) from a wildcard certificate to one from our internal ABC.Local CA. Over the years, we've kept backups of the CA when servers have changed, and now everything should be up to date, but I'm hitting a wall with certificate trust issues.
After creating a new certificate template compatible with Server 2016 and Windows 10 clients, I generated a CSR from a switch and thought I was set. However, I'm receiving a warning in Firefox that states the certificate was signed with a non-secure signature algorithm, which turned out to be SHA1. I followed Microsoft's guide to upgrade to SHA256 and renewed the CA certificate.
Now, uploading the new certificate leads to Mozilla throwing an SEC_ERROR_UNKNOWN_ISSUER error. All the details look correct when I check the certificate, but I'm stuck. Is there any way to avoid manually adding the CA certificate to every browser on each machine?
5 Answers
Also, keep in mind that browsers cache certificates. So if you're testing different setups, make sure to fully close and restart them, or use incognito mode to avoid caching issues, which could lead to confusion while troubleshooting.
As for the browsers, Edge and Chrome usually trust system root CAs by default, so you might not have an issue there. Firefox, however, can be tricky. If you're getting errors in Edge as well, check if the CA is correctly installed in your system's certificate store.
I've already checked. Edge gives me the same error, saying the server's certificate isn't trusted, despite it appearing correct. It's really baffling!
You can actually manage this better with enterprise configuration profiles! Tools exist for deploying trusted CAs across your organization without needing to go to each individual machine. It might save you a lot of time in the long run!
I get what you're saying, but for now, I might just import it manually since only a few people will be using this equipment. It's frustrating that it isn't working as smoothly as I hoped!
One common issue is that the web server template doesn't include the SAN attribute anymore, which is required by browsers today. You might want to create a new template ensuring it has the SAN included with every request.
I did create it based on the web server template, and I see the SAN shows "DNS Name=SWITCH01". The certificate looks legit, so I'm unsure why I'm still encountering issues.
Ensure your CA is trusted on the client machines. If you're using AD, make sure you distribute the correct CA cert via GPO. Also, remember that the certificate's full chain needs to be uploaded to your switch, not just the signed certificate.
Yes, I did push the CA cert out to all machines using GPO, and it's showing up as trusted. However, I only uploaded the signed cert to the switch. Should I try uploading the full chain next?
I've tried restarting both Firefox and Edge, but nothing changed. Tried incognito mode too, no luck there. This is turning out to be quite a hassle!