From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:0.9.4) Gecko/20010915 Netscape6/6.2 BuildID: 2001091503 I was wondering about a cert at https://www.umbrellabank.com/reorder_checks.htm . Mozilla, Communicator, and Netscape 6 all give a warning about the issuer. When looking at the cert properties it shows the issuer cert has no CN and no OU ; only an O. However if you click on the "details" tab to the right in Netscape 6, then click on "issuer" in the certificate fields, it then shows the OU as Verisign ... Something is wrong either with the cert or the browser. FYI, IE accepts the cert without any problem. Reproducible: Always Steps to Reproduce: 1. go to https://www.umbrellabank.com/reorder_checks.htm 2. accept after getting the security warning 3. do edit/page info 4. click on security tab 5. click on view button 6. look at CN and OU under "issued by" . it says "not part of certificate"7. click on details tab 8. in the lower window, click on issuer 9. look at field values : there are 3 OUs there. Actual Results: Got security pop-up dialog about the issuer of the server cert. Expected Results: Possibly should not have popped up error since other browser (IE) works; need to examine cert to make determination for sure.

->PSM

I've found exactly the same problem. For other example sites that exhibit this behavious, see https://www.accucard.com or https://www.easymoneycreditcard.com. Both sites work fine with IE5. Mozilla claims the Issuer OU is not part of the certificate, yet openssl x509 shows otherwise. This is with all versions I've tried up to and including 0.9.5.

Stéphane, Could this be related to not storing intermediate CA certs ?

It's related to intermediate certs. The server isn't configured correctly, in that it needs to have the Verisign Trust Network CA installed as a trusted CA. The the server will send the intermediate cert to the client. The client will then be ok. Note that a "fresh" install of IE visiting this site would suffer the same problem. IE stores intermediate CA permanently in its db when it first encounter them, we don't. Thus IE will be ok with misconfigured server as soon as it has encounter one server that is configured correctly. Netscape should validate the chain correctly after visiting one site that is configured correcty in the current session, but this has to be repeated for every sessions.

here's how to verify my previous statement: start the browser go to https://onsite.verisign.com This is the site for that CA, it uses an SSL cert that is signed by it, and the server is configured correctly. You can verify this by clicking on the lock icon. The general tab of the view certificate will show the entire chain. Now go to https://www.easymoneycreditcard.com, you won't get the unrecognized CA. That's because we've stored the trust network CA cert in our temp db when we went to onsite.verisign.com.

The bank informed me today that corrected their server certificate to add the cert chain, and indeed the error no longer pops up. Marking resolved fixed.

Verified fixed.