Verisign Certificate issues with Firefox

07Dec10

We recently had to renew a Verisign certificate for one of our domains.
We installed the renewed certificate and restarted Apache (we are running Apache on RHEL  5). Initially everything looked ok but we then found that Firefox was complaining that it could not validate the certificate although IE, Safari and Chrome did not complain. We also started seeing errors in our Weblogic logs for select applications running under that domain name -

java.io.IOException: weblogic.security.AuthenticationException: Incorrect block length 256 (modulus length 128) possibly incorrect SSLServerCertificateChainFileName set for this server certificate.

We called Verisign Support and they pointed us to the following bulletin

https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR657&actp=search&viewlocale=en_US

Apparently to use certificates issued by them after October 2010 requires new intermmediate  CAs. The article gives a link to download the required CA Bundle (Primary Intermediate CA and a Secondary Intermediate CA). Instead of supplying a file the page contains the text that has to be copied and pasted to create the certificate file. On Windows 7 using IE9 Beta and on XP using IE 8 we had issues copying and pasting the text; It would paste and look correct in Notepad but Apache would reject the file. In the end I tried using Google Chrome and Notepad on Windows 7 and it finally worked.

In case you run into the same problem, here is a link to Verisign2010.doc for you to use as your SSLCertificateChainFile  in Apache. Save it as verisign.2010.cer – don not open in MS Word (I had to use the .doc extension to be able to upload it to wordpress).

 

http://magictrevor.files.wordpress.com/2010/12/verisign2010.doc

Filed under: Linux, Software General, WebLogic   |  Leave a Comment
Tags: verisign CA error