Helping people with computers... one answer at a time.

Many browsers don't install the full set of root certificates when you install a browser. That can result in these errors.

When I try to visit a web site on the va.gov domain, I get a message that the security authority that issued the certificate (Cybertrust Public Issuing CA 1) is "unknown." I don't get that message when I use Firefox 14, although an update is pending on the same machine. I'm using Safari in the original case. Is Safari pickier than Firefox when it comes to certificates?

In this excerpt from Answercast #57, I look at the chain of certificates, how they can be used to verify a site, and how it may go wrong.

Security certificates

Pickier is probably the wrong word. This goes back to what are called "root certificates."

There are a set of root certificates from which all "trust" for all websites that use certificates is derived. So, for example, there might be a root certificate from (I don't know, I'll just choose...) VeriSign - and that root certificate might sign and cause another root certificate to be trusted; and that certificate might be the one that actually causes the certificate used on a website like va.gov to be understood or to be valid.

Now, all the browser has to do is have installed in it, the "root" certificate. In other words, the certificate at the top of that chain.

As long as that certificate is in place, and everything else kind of, sort of does the math properly, then you will end up with a trusted certificate at the bottom for va.gov.

Browsers don't have all certificates

The problem is that there are a lot of root certificates.

It depends a lot on which browser you're using, as you're seeing. Some of them have something like a couple hundred different root certificates that they trust implicitly. By trusting those root certificates, then any website that those root certificates trust are trusted by your browser.

200 is a lot, and they can encompass certificate-issuing authorities from all over the planet.

Many browsers simply don't install the full set when you install the browser:

  • Internet Explorer comes with a bunch that's basically part of Windows and Windows Certificate Management.

  • Firefox (I think, if you're running Windows) relies on its own set of certificates that it brings with it when you install it.

  • Chrome on Windows I think relies on Windows' own installed certificates.

  • On the Mac, with Safari, I'm actually not sure where the certificates set comes from: if Safari is using its own set or if it's relying on what's installed on the Mac?

Like I said, I know that Firefox brings its own set of root certificates with it - so it apparently has a larger set or at least includes a root certificate that encompasses the va.gov server.

How to solve this?

Just use Firefox!

To be honest, in your shoes, I would use Firefox. I would just sidestep the issue completely and continue to use Firefox to access that site.

I think you mentioned that you did send feedback to the va.gov site, which is good because they probably should know about this. But ultimately, they may or may not be willing or able to do anything about it.

It's unclear whether they should be using a different signing authority or whether Safari should be including an appropriate root certificate, so that this certificate is valid. There's simply no way to argue that one. It could go either way.

So from a very practical standpoint, I would strongly suggest that you simply continue to use Firefox for this kind of thing when you're visiting that site and hope that eventually va.gov and Safari kind of, sort of duke it out.

This isn't the first time I've heard of issues like this with respect to Safari, so it doesn't really surprise me. It's just one of those things that is a sad and unfortunate reflection of what is a fairly messy system that allows certificates to be issued for websites.

Article C5867 - September 30, 2012 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.