Cài đặt VeriSign Intermediate CA cho IIS 6.0
Lỗi sau thường xuất hiện trên Firefox (IE thì không phát hiện ra lỗi này): "The security certificate was issued by a company you have not chosen to trust" or "Website Certified by an Unknown Authority" sau khi cài đặt chứng chỉ số EV SSL certificate trên IIS 5.0 hoặc 6.0.
Problem
When attempting to connect to a secure site using Firefox, the browser may display the following error(s):
The security certificate was issued by a company you have not chosen to trust
Unable to verify the identity of your domain.com as trusted site
Website Certified by an Unknown Authority
The security certificate presented by this website is not issued by a trusted certificate authority
Cause
This error occurs when the EV Primary and/or Secondary Intermediate CA certificates are not installed on the server. When both EV Intermediate CA's are installed properly on the server, they will be presented to the client connecting and used during the secure session, and therefore no action is required on the client side.
Resolution
To resolve this problem, ensure both Intermediate CA's are installed on the server.
Step 1: Download the EV Intermediate CA certificate
Download the Secure Site with EV or the Secure Site Pro with EV intermediate certificates at:
http://www.verisign.com/support/verisign-intermediate-ca/extended-validation/index.html (Secure Site with EV)
http://www.verisign.com/support/verisign-intermediate-ca/extended-validation-pro/index.html (secure Site Pro with EV)
Step 2: Import the EV intermediate certificates using Microsoft Management Console (MMC)
Import the EV Intermediate CA Certificates (Primary EV SSL Intermediate CA Certificate and Secondary EV SSL Intermediate CA Certificate) using the Microsoft Management Console (MMC)
1. Open the Microsoft Management Console (MMC) > Go to Start > Run > enter MMC > select OK
2. Select File or Console > select Add/Remove Snap-In
3. From the list, select Certificates > select Add > select Computer Account and Local Computer > select OK
4. From the left window, select Intermediate Certification Authorities> right-click Certificates > select All Tasks > Import. This will open the Certificate Import Wizard.
5. Click Next
6. Browse to the location of the intermediate certificate > select Next
7. Select Place the certificate in the following store: Intermediate Certification Authorities
8. Click Finish
Step 3: Delete the VeriSign Class 3 Public Primary Certification Authority - G5 Root CA certificate
1. From the left window, double-click Trusted Root Certification Authorities
2. From the right window, double-click Certificates
3. Click on the certificate labeled VeriSign Class 3 Public Primary Certification Authority - G5 with the expiration date 07/16/2036
4. Right-click the certificate > select Delete
5. Restart the service for the corresponding site
Step 4: Turn off Auto update to ensure that
the Verisign Class 3 Public Primary Certification Authority - G5 Root
CA Certificate is not re-installed on the server
1. Go to Start > Settings > Control Panel
2. Click Add Remove Programs
3. Click Add Remove Windows Components
4. Uncheck the check box for Update Root Certificates
Note: This is a server side solution only. This will affect future Root CA updates but does not affect HOT Fixes or Service Packs.