Problem
Via Firefox, the browser displays the following errors(s) when you attempt to connect to a secure site:
"The security certificate was issued by a company you have not chosen to trust"
"Unable to verify the identity of your domain.com as trusted site"
"Website Certified by an Unknown Authority"
"The security certificate presented by this website is not issued by a trusted certificate authority"
Cause
EV Primary and/or Secondary Intermediate CA certificates are not installed on the server. When both EV Intermediate CA's are installed properly on the server, they will be presented to the client connecting and used during the secure session, and therefore no action is required on the client side.
Resolution
Make sure both Intermediate CA's certificate are installed on the server.
Step 1: Download the EV Intermediate CA certificate
Download the /ROOTS|EV Intermediate CA certificate you need.
Step 2: Import the EV intermediate certificates Use Microsoft Management Console (MMC)
Import the EV Intermediate CA Certificates (Primary EV SSL Intermediate CA Certificate and Secondary EV SSL Intermediate CA Certificate) using the Microsoft Management Console (MMC).
1. Open the Microsoft Management Console (MMC), click Start then Run, enter MMC and click OK
2. Select File or Console, choose Add/Remove Snap-In
3. From the Add/Remove Snap-In window select the Add button
4. From the list, select Certificates then Add, Computer Account and Local Computer and click OK
5. From the left window, select Intermediate Certification Authorities, right-click Certificates then select All Tasks and Import. This will open the Certificate Import Wizard.
6. Click Next
7. Browse to the location of the intermediate certificate > select Next
8. Select Place the certificate in the following store: Intermediate Certification Authorities
9. Click Finish.
For steps 3 and 4 we will use a VeriSign certificate example
Step 3: Delete the problematic certificate
1. From the left window, you must double-click Trusted Root Certification Authorities
2. From the right window, double-click Certificates
3. Click on the certificate VeriSign Class 3 Public Primary Certification Authority-G5 with the expiration date 07/16/2036.
4. Right-click the certificate and Delete.
5. Restart the service for the corresponding site
Step 4: Turn off Auto update to ensure that the VeriSign Class 3 Public Primary Certification Authority - G5 Root CA Certificate is not re-installed on the server. To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.
To turn off Automatic Root Certificates Update:
1. Click Start and Run.
2. Type gpedit.msc, select OK.
3. If the User Account Control dialog box appears, confirm that the displayed action is the one you want, click Continue.
4. Double-click Administrative Templates, then System, Internet Communication Management, and click Internet Communication settings.
5. Double-click Turn off Automatic Root Certificates Update, click Enabled and OK.
6. Close the Local Group Policy Editor.