Skip to content

SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION

Key idea:

SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION — cert carries an X.509 extension marked critical=TRUE, but Firefox does not recognise the OID. Per RFC 5280, a client MUST reject certs with unknown critical extensions. Fix: reissue cert without exotic extensions, or drop the critical flag.

Below: causes, fixes, FAQ.

Check your site's SSL →

Common Causes

  • Private CA issued cert with custom OID critical=TRUE
  • Old enterprise CA with legacy extensions (ISO, country-specific)
  • Smart-card / qualified cert extensions in wrong context
  • Misconfigured OpenSSL config (openssl.cnf with exotic extensions)
  • EV cert with a policy extension missing from Firefox trust

Step-by-Step Fix

  1. Reissue via a mainstream CA (Let's Encrypt, Sectigo)
  2. In OpenSSL config: drop custom extensions or critical = FALSE
  3. openssl x509 -in cert.pem -text | grep -A1 "critical" — list critical ones
  4. If enterprise: pin cert via NSS trust manually
  5. Enterno SSL — shows full cert extensions

Check SSL Certificate →

Related SSL Errors

TL;DR: Fixing SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION in Firefox

The SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION error in Firefox indicates that the browser encountered a certificate with an unsupported critical extension. To resolve this, ensure that your server's SSL/TLS certificate is correctly configured without unsupported extensions. You can use tools like OpenSSL to inspect your certificate and verify compliance with standards such as RFC 5280.

Understanding SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION

The SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION error arises when Firefox encounters a certificate that includes a critical extension that it does not recognize or support. This can often happen due to misconfigurations in the SSL/TLS certificate or when using non-standard extensions that are not widely accepted. Understanding the nature of these extensions is crucial for debugging and resolving the issue.

Critical extensions in SSL/TLS certificates are defined in RFC 5280 and play a vital role in the validation and interoperability of certificates across different systems. If an extension is marked as critical, the certificate must be processed correctly; otherwise, the browser will reject the certificate altogether, leading to this error.

Common causes of this error include:

  • Custom Extensions: Use of non-standard or proprietary extensions that are not recognized by Firefox.
  • Expired Extensions: Extensions that may have been deprecated or are no longer supported by the certificate authorities.
  • Misconfigured Certificate: Issues with how the certificate was generated or signed, leading to improper inclusion of extensions.

To troubleshoot this error effectively, you can utilize the following steps:

  1. Check the certificate chain for any unsupported critical extensions.
  2. Utilize tools like OpenSSL to inspect the certificate:
openssl x509 -in your_cert.pem -text -noout

Analyze the output for critical extensions and ensure compliance with standard practices.

By understanding these factors, you can take the necessary steps to rectify the SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION error in Firefox.

Resolving SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION: Practical Steps

To resolve the SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION error effectively, follow these practical steps to ensure your SSL/TLS certificate is correctly configured:

Step 1: Review Your Certificate

Begin by examining your SSL/TLS certificate using OpenSSL. This tool provides detailed information about the extensions included in your certificate. Use the following command:

openssl x509 -in your_cert.pem -text -noout

Look for the section labeled Extensions. Identify any critical extensions that may not be supported by Firefox.

Step 2: Modify Certificate Configuration

If you identify unsupported critical extensions, you may need to regenerate your certificate without these extensions. Consult your certificate authority (CA) or use a tool like Let's Encrypt to create a compliant certificate:

certbot certonly --standalone -d yourdomain.com

This command generates a new certificate without unsupported extensions.

Step 3: Test the New Certificate

Once you have regenerated your certificate, test it using an SSL checker tool to ensure that it does not contain any unsupported extensions. Websites like SSL Labs provide comprehensive reports on your SSL configuration:

Step 4: Update Your Web Server Configuration

After ensuring your certificate is compliant, update the configuration of your web server to use the new certificate. For example, on an Apache server, modify your httpd.conf or ssl.conf file:

SSLCertificateFile /path/to/your_new_cert.pem
SSLCertificateKeyFile /path/to/your_private_key.pem
SSLCertificateChainFile /path/to/your_chain.pem

Step 5: Restart Your Web Server

Apply the changes by restarting your web server:

sudo systemctl restart apache2

or

sudo systemctl restart nginx

Final Verification

After completing these steps, revisit your website using Firefox to confirm that the SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION error is resolved. Additionally, keep your SSL/TLS certificates up-to-date and monitor for any changes in standards that may affect your configuration.

CertificateExpiry, issuer, domains (SAN)
ChainIntermediate and root CA validation
TLS ProtocolTLS version and cipher suite
VulnerabilitiesHeartbleed, POODLE, weak ciphers

Why teams trust us

TLS 1.3
supported
Full
CA chain check
<2s
result
30/14/7
days-to-expiry alerts

How it works

1

Enter domain

2

TLS chain verified

3

Expiry date & vulnerabilities

What Does the SSL Check Cover?

SSL/TLS is the encryption protocol that protects data between the browser and server. Our tool analyzes the certificate, chain of trust, TLS version, and knownvulnerabilities.

Certificate Details

Issuer, validity period, signature algorithm, covered domains (SAN), and validation type (DV/OV/EV).

Chain of Trust

Full chain verification: from leaf certificate through intermediates to root CA.

TLS Analysis

Protocol version (TLS 1.2/1.3), cipher suites, Perfect Forward Secrecy (PFS) support.

Expiry Alerts

Set up a monitor — get Telegram and email alerts 30/14/7 days before expiration.

DV vs OV vs EV Certificates

DV (Domain Validation)
  • Confirms domain ownership only
  • Issued in minutes automatically
  • Free via Let's Encrypt
  • Suitable for most websites
  • Most common certificate type
OV / EV
  • Organization (OV) or Extended Validation (EV)
  • Issued in 1-5 business days
  • Costs $50 to $500/year
  • For finance, e-commerce, government sites
  • Increases user trust

Who uses this

DevOps

SSL certificate monitoring

Security

TLS config audit

SEO

HTTPS as ranking factor

E-commerce

customer trust

Common Mistakes

Expired certificateBrowsers block sites with expired SSL. Set up auto-renewal or monitoring.
Incomplete certificate chainWithout intermediate CA, some browsers and bots cannot verify the certificate.
Mixed content on HTTPS siteHTTP resources on an HTTPS page — the browser lock icon disappears, reducing trust.
Using TLS 1.0/1.1Legacy TLS versions have known vulnerabilities. Use TLS 1.2+ or 1.3.
Domain mismatch in certificateThe certificate must cover all site domains, including www and subdomains.

Best Practices

Set up auto-renewalLet's Encrypt + certbot with cron — certificate renews automatically every 60-90 days.
Enable HSTSStrict-Transport-Security header forces browsers to always use HTTPS.
Use TLS 1.3TLS 1.3 is faster (1-RTT handshake) and safer — legacy ciphers removed.
Monitor expiration datesCreate a monitor on Enterno.io — get notified well before expiration.
Verify chain after renewalAfter certificate renewal, confirm that intermediate certificates are installed.

Get more with a free account

SSL certificate monitoring, check history and alerts 30 days before expiry.

Sign up free

Learn more

Sources

Frequently Asked Questions

What does critical mean?

RFC 5280: if the extension is critical, the client must process it. Otherwise reject the cert (for safety).

Is Chrome strict?

Chrome is more lenient with unknown extensions (if non-critical). Critical — reject too.

Which extensions are usually critical?

BasicConstraints, KeyUsage, NameConstraints. Custom Policy extensions are often non-critical.

Debug cert?

https://crt.sh for public cert, or the dumpasn1 utility for binary parsing.

Try the live tool that powered this guide

Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.