greetings from Germany! On Friday and Today i created a new Certificate, but my System told me that the Certificate issuer is unknown.
I compared it with a previous Certificated, the new one is issued from “COMODO SHA-256 Client Authentication and Secure Email CA” and the old one from “COMODO RSA Client Authentication and Secure Email CA”. Unfortunately the SHA-256 Certification Chain isn’t known by any of mine tested Operating Systems… (Mac OS X Yosemite, Win 8.1, Win 10 Technical Preview, openSuSE)
I just found the CA for manual install, but that shouldn’t fix the Problem, because mail recipients won’t have this CA.
It may be because Comodo are upgrading their root CA and intermediate certificates from SHA1 to SHA256 hashes and your browser did not ship with the intermediate certificate already in place. Mozilla Firefox in particular is not happy skipping intermediate certificates which so far it was not shipped with, like “COMODO SHA-256 Client Authentication and Secure Email CA”.
The solution to this problem is to import the intermediate certificate manually. To download it look into the extensions of the certificate you downloaded. You will see:
Authority Information Access:
CA Issuers - URI:http://crt.comodoca.com/COMODOSHA256ClientAuthenticationandSecureEmailCA.crt
Then fetch this and import it in your browser. This intermediate certificate is signed by the “AddTrust External CA Root” which is already provided in the Trusted Root CA of all modern browsers, so it should be recognised without any intervention once loaded.
It may be that the format of this certificate (DER) is not importable by the browser, which expects a PEM or PKCS12 format. In this case you will need to use openssl to convert it into a format ingestible by the browser in question. Ask if you need specifics with the openssl syntax for the conversion.