Wednesday, September 24, 2008

Error: sec_error_bad_signature with Firefox 3

Recently when most of our team upgraded their browsers to Firefox 3 we noticed then when we tried to visit on of our internal websites over a secure connection we would get presented with an error page saying "sec_error_bad_signature". Most of the existing comments on the web seem to be saying that they are seeing this error when visiting a site with an untrusted certificate. However in our case it was a correctly signed certificate obtained through the JANET Server Certificate Service.

The server is just a Ubuntu Linux server with a standard installation of Apache Tomcat 5.5 and another very similar setup was working correctly. But after close inspection it became clear that the server had a public key using the DSA algorithm but the machine that was working correctly was using the RSA algorithm. The certificate work was done with the Java keytool command and I think I probably didn't specify the -keyalg RSA argument. After recreating with RSA the certificate and installing it everything was working correctly. The screenshots are taken with Safari (which worked fine with DSA) and shows the two different certificates.


Anonymous said...


How did you come to know that it was a DSA key..any commands to list that particular info?

Thick Sliced said...

A alternative browser will tell you (eg safari) when you look at the subject public key algorithm, or if you have access to the keystore something like this will dump out the certificate details:

keytool -keystore -storepass changeit -export -alias -rfc | openssl x509 -text

and an DSA one will contain:
Subject Public Key Info:
Public Key Algorithm: dsaEncryption

or a RSA one will have:
Subject Public Key Info:
Public Key Algorithm: rsaEncryption

Anonymous said...

"-keyalg RSA" is THE key ;)
had the same problem and this was the argument not to forgot

George said...

I am having the same issue. Can someone baby step me on how to fix it. I have no experience using keytool and such. I have Red Hat Server 5.3