One of the most frustrating situations we can have when using web browsers is the errors that suddenly appear. While Chrome and Opera tend to operate on the same plane, Safari, Firefox and Firefox are not the same. Microsoft Edge do their thing. For example, consider the error code SEC_ERROR_UNKNOWN_ISSUER in Firefox.
El error code SEC_ERROR_UNKNOWN_ISSUER It also appears as “NET: ERR_CERT_AUTHORITY_INVALID” in Chrome and “DLG_FLAGS_INVALID_CA” in Edge.
What's more complicated is that this message can mean two things for Firefox and Edge users, while Chrome has dedicated error messages for each of the two variations.
We'll get into that in just a second.
What does SEC_ERROR_UNKNOWN_ISSUER error mean?
The SEC_ERROR_UNKNOWN_ISSUER error code is intended to inform users that a website is attempting to use an SSL certificate issued by an untrusted entity.
The way public key infrastructure (PKI) works, and for it to work properly, only trusted certificate authorities (CAs) can issue trusted certificates.
There is a very strict set of guidelines that CAs follow to ensure that they are both performing their due diligence regarding validation and that they are acting in good faith when issuing certificates.
Mistakes are dealt with harshly, so there is plenty of incentive to do things right.
If you receive the SEC_ERROR_UNKNOWN_ISSUER message, it means that browsers do NOT trust the person who issued your certificate.
What does the error code SEC_ERROR_UNKNOWN_ISSUER mean in Firefox?
Now here's where it gets confusing. The SEC_ERROR_UNKNOWN_ISSUER error code in Firefox refers to one of two possible scenarios:
- The certificate was issued by an untrusted CA; or
- Somehow the issuing CA root was removed from the root store.
It's almost always the former. Specifically, it's usually a Symantec Legacy certificate that's the culprit.
Symantec was completely distrusted last fall. All remaining digital certificates were to be reissued by DigiCert, which took over Symantec's CA operations following its acquisition.
Otherwise, browsers would distrust them as well.
Firefox uses the SEC_ERROR_UNKNOWN_ISSUER warning to refer to any issue from an untrusted CA.
Other browsers, such as Chrome, have specific messages for Symantec Legacy and other untrusted CA issues.
But to make matters even more confusing, the CERT_AUTHORITY_INVALID error message that Chrome gives to untrusted CAs (not named Symantec) is the same one it uses for errors of self-signed certificates, while Firefox has a dedicated error message for self-signed ones.
Are you still feeling confused?
Just remember that we're focusing on Firefox right now, so when you see the SEC_ERROR_UNKNOWN_ISSUER error, it's safe to assume that the certificate isn't trusted because of who issued it.
Fix SEC_ERROR_UNKNOWN_ISSUER error for web users
Unfortunately, most of the time, the most you can do when you see the SEC_ERROR_UNKNOWN_ISSUER pop-up message is to notify the site owner. DO NOT click through the warning.
It's a bad habit and rewards poor security. Instead, notify the site owner and if it's not fixed quickly, they may consider taking their business elsewhere.
The other possibility, and this one is much more remote unless you've been messing with your configuration, is that the relevant root CA certificate was removed from your root store.
If this is the case, simply delete your settings and then delete and reinstall Firefox. That's the quickest way to fix the problem.
We know this isn't the SEC_ERROR_UNKNOWN_ISSUER error code fix you were necessarily hoping for. However, remember that if you still get an error afterwards, it's them, not you.
How can I fix this error code as a site owner?
Regardless of whether you're getting this error because of a legacy Symantec certificate or simply because Firefox doesn't trust your certificate's CA, you really only have one option: you need to get another certificate.
There are dozens of trusted CAs at various prices that can issue a universally trusted SSL certificate. If you use ACME, switching only takes a few clicks.
Otherwise, you'll need a few minutes of manual intervention. Regardless, the problem is with the CA that issued the certificate. It's time to find a new one.
If you still can't figure it out, follow these steps to quickly resolve the SEC_ERROR_UNKNOWN_ISSUER error:
- open firefox
- Press the menu button at the top right that looks like three bars one below the other
- Go to Options, then Privacy and Security – press View certificates
- Go to Authorities – delete any Bitdefender entries in the list
- Press Import – navigate to C:\Program Files\Bitdefender Antivirus Free\web\mitm_cache – select fake-ca.crt and press Open
- Check all the boxes that are requested – press Next until the certificate is installed
- Restart Firefox. You may also need to restart your computer.
Import the signing certificate
If you import the program's signing certificate into Firefox's certificate store, all of its fake certificates will be trusted and you can fix the SEC_ERROR_UNKNOWN_ISSUER error.
(A) If you don't have a certificate file ready to import yet, you can export it from IE or Chrome.
- This may appear in the IE Certificates dialog OR it may appear when you view the certificate details on any secure page you load in IE/Chrome
- The Export or Copy to File button launches the Export Wizard. Use the DER format and save it to a convenient location
(B) When you have finished with all the exports required to complete the chain in the Certification Path, you can import the certificates into the Firefox Authorities tab:
- Windows: “3-bar” menu button (or Tools menu) > Options
- Mac: “3-bar” menu button (or Firefox menu) > Preferences
- Linux: “3-bar” menu button (or Edit menu) > Preferences
- Any system: type or paste about: preferences in the address bar and press Enter/Return to load it
- In the search box at the top of the page, type cert and Firefox should filter the list.
- Click “View Certificates” to open the Certificate Manager and click the “Authorities” tab.
- You can then use the “Import” button to import the security software certificate.
When asked, I suggest allowing the certificate only for websites unless your IT department suggests otherwise.
It's a bit of a pain, but the advantage of that approach is that you're making minimal security compromises.
We hope that with these tips you can fix this error code and use your browser normally.
If you know of any other method to fix this error, feel free to share it with us in the comments section below.
Don't forget that we have a lot of useful information for you on our portal. See you in our next post.
My name is Javier Chirinos and I am passionate about technology. Ever since I can remember, I have been interested in computers and video games, and that passion has turned into a job.
I have been publishing about technology and gadgets on the Internet for over 15 years, especially in mundobytes.com
I am also an expert in online marketing and communication and have knowledge in WordPress development.