SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION — cert carries an X.509 extension marked critical=TRUE, but Firefox does not recognise the OID. Per RFC 5280, a client MUST reject certs with unknown critical extensions. Fix: reissue cert without exotic extensions, or drop the critical flag.
Below: causes, fixes, FAQ.
Free online tool — SSL certificate checker: instant results, no signup.
critical = FALSEopenssl x509 -in cert.pem -text | grep -A1 "critical" — list critical onesThe SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION error in Firefox indicates that the browser encountered a certificate with an unsupported critical extension. To resolve this, ensure that your server's SSL/TLS certificate is correctly configured without unsupported extensions. You can use tools like OpenSSL to inspect your certificate and verify compliance with standards such as RFC 5280.
The SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION error arises when Firefox encounters a certificate that includes a critical extension that it does not recognize or support. This can often happen due to misconfigurations in the SSL/TLS certificate or when using non-standard extensions that are not widely accepted. Understanding the nature of these extensions is crucial for debugging and resolving the issue.
Critical extensions in SSL/TLS certificates are defined in RFC 5280 and play a vital role in the validation and interoperability of certificates across different systems. If an extension is marked as critical, the certificate must be processed correctly; otherwise, the browser will reject the certificate altogether, leading to this error.
Common causes of this error include:
To troubleshoot this error effectively, you can utilize the following steps:
openssl x509 -in your_cert.pem -text -nooutAnalyze the output for critical extensions and ensure compliance with standard practices.
By understanding these factors, you can take the necessary steps to rectify the SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION error in Firefox.
To resolve the SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION error effectively, follow these practical steps to ensure your SSL/TLS certificate is correctly configured:
Begin by examining your SSL/TLS certificate using OpenSSL. This tool provides detailed information about the extensions included in your certificate. Use the following command:
openssl x509 -in your_cert.pem -text -nooutLook for the section labeled Extensions. Identify any critical extensions that may not be supported by Firefox.
If you identify unsupported critical extensions, you may need to regenerate your certificate without these extensions. Consult your certificate authority (CA) or use a tool like Let's Encrypt to create a compliant certificate:
certbot certonly --standalone -d yourdomain.comThis command generates a new certificate without unsupported extensions.
Once you have regenerated your certificate, test it using an SSL checker tool to ensure that it does not contain any unsupported extensions. Websites like SSL Labs provide comprehensive reports on your SSL configuration:
After ensuring your certificate is compliant, update the configuration of your web server to use the new certificate. For example, on an Apache server, modify your httpd.conf or ssl.conf file:
SSLCertificateFile /path/to/your_new_cert.pem
SSLCertificateKeyFile /path/to/your_private_key.pem
SSLCertificateChainFile /path/to/your_chain.pemApply the changes by restarting your web server:
sudo systemctl restart apache2or
sudo systemctl restart nginxAfter completing these steps, revisit your website using Firefox to confirm that the SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION error is resolved. Additionally, keep your SSL/TLS certificates up-to-date and monitor for any changes in standards that may affect your configuration.
SSL/TLS is the encryption protocol that protects data between the browser and server. Our tool analyzes the certificate, chain of trust, TLS version, and knownvulnerabilities.
Issuer, validity period, signature algorithm, covered domains (SAN), and validation type (DV/OV/EV).
Full chain verification: from leaf certificate through intermediates to root CA.
Protocol version (TLS 1.2/1.3), cipher suites, Perfect Forward Secrecy (PFS) support.
Set up a monitor — get Telegram and email alerts 30/14/7 days before expiration.
SSL certificate monitoring
TLS config audit
HTTPS as ranking factor
customer trust
www and subdomains.Strict-Transport-Security header forces browsers to always use HTTPS.SSL certificate monitoring, check history and alerts 30 days before expiry.
Sign up freeRFC 5280: if the extension is critical, the client must process it. Otherwise reject the cert (for safety).
Chrome is more lenient with unknown extensions (if non-critical). Critical — reject too.
BasicConstraints, KeyUsage, NameConstraints. Custom Policy extensions are often non-critical.
https://crt.sh for public cert, or the dumpasn1 utility for binary parsing.
Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.