The certificate is not trusted because the issuer certificate is unknown. (Error code: sec_error_unknown_issuer) Firefox
'USERTrust RSA Certification Authority' is not recognized as a root CA on all platforms. So, the best option is use it as an intermediate CA, having a certificate signed by 'AddTrust External CA Root'.
You can retrieve this certificate at http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
Proper installation (most accepted) of your certificate is:
-
Root store
- AddTrust External CA Root
-
Intermediate store
- USERTrust RSA Certification Authority (signed by AddTrust)
- Gandi Standard SSL CA 2
-
Personal store
- [your server certificate]
Windows Server 2008 R2 manages automatically trusted certificates, so your server could get the next configuration:
-
Root store
- AddTrust External CA Root
- USERTrust RSA Certification Authority (self-signed)
-
Intermediate store
- USERTrust RSA Certification Authority (signed by AddTrust)
- Gandi Standard SSL CA 2
-
Personal store
- [your server certificate]
When server sends the certificate it chooses the shortest path to root:
- [server] < Gandi < USERTrust (self-signed)
And that is an incomplete chain for most platforms.
If this is your problem, the best solution is locate the 'USERTrust RSACertification Authority' on Root store and edit its Properties to 'Disable all purposes for this certificate'.
After you restart the server, Windows will always generate the desired chain:
- [server] < Gandi < USERTrust < AddTrust