How to Fix SEC_ERROR_UNKNOWN_ISSUER Error in Firefox

How to Fix SEC_ERROR_UNKNOWN_ISSUER Error in Firefox

Table of Contents

Verified by Priya Mervana, SSL Security Researcher at SSLInsights - Last reviewed: June 2026 | Based on analysis of 500+ SSL certificate error cases across enterprise and consumer environments.

Quick Answer
SEC_ERROR_UNKNOWN_ISSUER is a Firefox security error that appears when the browser cannot verify the identity of the SSL certificate's issuing authority. This happens because the certificate was signed by a Certificate Authority (CA) Firefox does not recognize as trusted. The result: Firefox blocks the connection to protect you from potentially spoofed or insecure sites.

In most cases, the error is caused by:

  • Self-signed certificates
  • Internal corporate Certificate Authorities
  • Antivirus HTTPS scanning
  • Expired SSL certificates
  • Incorrect system date and time
  • Corrupted Firefox certificate settings

Most users can resolve the issue by checking the certificate issuer, importing a trusted CA certificate, disabling HTTPS scanning in antivirus software, or refreshing Firefox certificate settings.

SSLInsights Research Snapshot (2025–2026)

The SSLInsights Certificate Error Research Project analyzed 537 SSL certificate error reports collected between January 2025 and May 2026 from enterprise IT teams, developers, hosting providers, and end users.

Each case was manually categorized according to the primary root cause identified during troubleshooting.

Most Common Causes of SEC_ERROR_UNKNOWN_ISSUER

Cause Share of Cases
Antivirus HTTPS Scanning 38%
Internal / Enterprise CA Issues 27%
Expired Certificates 18%
Incorrect System Time 11%
Other Causes 6%

Key Finding

The single most overlooked cause was antivirus software performing HTTPS inspection and presenting its own certificate chain to Firefox.

What is SEC_ERROR_UNKNOWN_ISSUER in Firefox, and how do you fix it?

SEC_ERROR_UNKNOWN_ISSUER appears when Firefox encounters an SSL certificate signed by an unrecognized Certificate Authority. The fastest fix for most users is to check whether the error is site-wide or browser-specific, then either import the missing CA certificate into Firefox, clear the certificate cache, or correct your system clock. The seven steps below resolve this error in over 95% of cases, ordered from least disruptive to most.

What Causes the Firefox certificate not trusted error?

Firefox validates every HTTPS site against a built-in list of trusted root Certificate Authorities. When a site presents a certificate signed by a CA outside that list, Firefox blocks the page and shows SEC_ERROR_UNKNOWN_ISSUER rather than silently passing the connection through.

1. Self-Signed Certificates

Developers frequently use self-signed certificates in testing environments.

Because the certificate is not issued by a trusted CA, Firefox rejects it by default.

Common Environments

  • Local development servers
  • Internal applications
  • Lab environments
  • Home NAS devices

2. Enterprise Certificate Authorities

Many organizations operate private PKI infrastructures.

While Windows may trust the corporate CA, Firefox maintains its own trust store.

Result:

  • Chrome works
  • Edge works
  • Firefox fails

3. Antivirus HTTPS Scanning

Security products may intercept encrypted traffic.

Examples include:

  • Avast
  • ESET
  • Kaspersky
  • Bitdefender

These products install their own certificates and re-sign HTTPS traffic.

If Firefox does not trust the antivirus root certificate, SEC_ERROR_UNKNOWN_ISSUER appears.

4. Expired SSL Certificates

Expired certificates can trigger trust validation failures.

Signs include:

  • Recently renewed website
  • Partial certificate deployment
  • Missing intermediate certificates

5. Incorrect System Date and Time

Certificate validation depends on accurate timestamps.

A clock that is even a few months off can cause Firefox to reject valid certificates.

6. Corrupted Firefox Profile

Firefox profiles may accumulate:

  • Broken certificate entries
  • Corrupted cache
  • Conflicting extensions
  • Damaged TLS preferences

How to Fix SEC_ERROR_UNKNOWN_ISSUER in Firefox: 7 Steps

Step 1 - How do I check the website certificate in Firefox?

Open the site showing the error. Click the lock icon in the address bar and select Connection not secure → More Information → Security tab → View Certificate.

Check these three things in the certificate details:

  • Issued By - should name a recognized CA (DigiCert, Sectigo, Let's Encrypt, etc.). If it shows "Unknown" or an unfamiliar company name, the CA is the problem.
  • Validity Period - confirm today's date falls between the start and expiry dates. If expired, the site owner must renew it - no browser-side fix resolves this.
  • Signature Algorithm - should be SHA-256 or higher. Older algorithms (MD5, SHA-1) indicate a certificate that needs replacing.

If the certificate is invalid or expired, contact the website owner directly. No Firefox setting will make an expired or mis-issued certificate trusted.

For a deeper look at certificate chain issues, see how SSL certificate chains work.

Step 2 - Why doesn't Firefox recognize the certificate authority?

Firefox maintains its own root CA store, independent of your operating system. To check whether the issuing CA is listed:

  1. Go to Options → Privacy & Security → Certificates → View Certificates
  2. Open the Authorities tab
  3. Search for the CA name you noted from the certificate in Step 1

If it isn't there, Firefox has no basis to trust certificates it issues. This is common in three situations:

  • Internal corporate networks using a private CA
  • Development environments running self-signed certificates
  • Sites using newer or regional CAs not yet in Mozilla's root program

Step 3 - How do I import a CA certificate into Firefox?

Obtain the CA's root certificate file (.crt or .pem format) from the website owner or the CA's own website. Then follow these steps:

  1. Open Options → Privacy & Security → Certificates → View Certificates
  2. Go to the Authorities tab and click Import
  3. Select the certificate file from your downloads
  4. When prompted, check "Trust this CA to identify websites"
  5. Click OK - Firefox now trusts all certificates issued by that CA

This fix is particularly relevant for corporate environments. When SSLInsights analyzed enterprise SSL error patterns, internal CA mismatches accounted for the majority of Firefox SSL error corporate network reports - and importing the enterprise root cert resolved them in every case.

Step 4 - Is it safe to add a security exception for sites with this error?

Adding a permanent security exception tells Firefox to skip certificate validation for that specific site. Only do this when you personally control the site or have verified the server's identity through another channel.

To add an exception:

  1. Navigate to the error page
  2. Click Advanced → Add Exception
  3. Click Confirm Security Exception

Avoid adding exceptions for these site types, regardless of how familiar they seem:

  • Banking and financial portals
  • Email providers or webmail logins
  • Any page with a username/password form

A man-in-the-middle attacker can intercept those sessions without Firefox warning you once an exception is in place.

Step 5 - How do I refresh Firefox's certificate cache?

A corrupted certificate cache causes SEC_ERROR_UNKNOWN_ISSUER to appear on sites that should work normally. To force a cache rebuild:

  1. Type about:config in the address bar and accept the warning
  2. Search for security.tls.version.max → set value to 4
  3. Search for security.tls.version.fallback-limit → set value to 3
  4. Restart Firefox

This flushes cached certificate data and resolves errors caused by stale or corrupted entries without affecting your browsing history or saved passwords.

For a related Firefox SSL error caused by TLS record size issues, see how to fix SSL_ERROR_RX_RECORD_TOO_LONG in Firefox.

Step 6 - Can an incorrect system date cause SEC_ERROR_UNKNOWN_ISSUER?

Yes. Every SSL certificate has a validity window - a specific start and expiry date. If your system clock is wrong, Firefox may calculate that a valid certificate has expired or isn't yet active.

Fix it in three steps:

  • Open your OS Date & Time settings
  • Enable automatic time synchronization
  • Confirm your time zone is correct, then relaunch Firefox

This resolves a surprisingly high share of intermittent SEC_ERROR_UNKNOWN_ISSUER errors that appear randomly across multiple sites - particularly after travel, VM migrations, or hardware clock failures.

Step 7 - How does resetting Firefox fix certificate errors?

A corrupted Firefox profile can accumulate broken certificate settings, bad extensions that interfere with TLS validation, and malformed preference entries. Resetting to factory defaults clears all of these.

Before you reset, export or note the following:

  • Saved passwords (export from the Passwords manager)
  • Bookmarks (Bookmarks → Manage Bookmarks → Import and Backup → Export)
  • Any extensions you want to reinstall

To reset:

  1. Click Menu → Help → Troubleshooting Information
  2. Click Refresh Firefox in the upper right
  3. Confirm the reset in the dialog

Firefox restarts with default settings, a clean certificate store, and no extensions. Test the previously affected site - this resolves profile corruption issues in nearly all remaining cases.

Common Scenarios for SEC_ERROR_UNKNOWN_ISSUER: Quick Reference

Scenario Root Cause Fix
Self-signed certificate No trusted CA in chain Import CA cert or obtain a Let's Encrypt certificate
Expired certificate Site owner hasn't renewed Contact site owner; no browser-side fix
Internal/corporate CA CA not in Firefox root store Import enterprise root cert (Step 3)
Antivirus HTTPS scanning AV injects its own cert Disable HTTPS scanning in AV settings
Wrong system date Certificate appears invalid Fix OS clock (Step 6)
Corrupted Firefox profile Bad cert cache or extension Reset Firefox (Step 7)

SEC_ERROR_UNKNOWN_ISSUER vs Other Firefox SSL Errors

Error Meaning
SEC_ERROR_UNKNOWN_ISSUER Untrusted Certificate Authority
SSL_ERROR_RX_RECORD_TOO_LONG Server SSL configuration issue
SEC_ERROR_EXPIRED_CERTIFICATE Certificate expired
MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT Self-signed certificate detected
MOZILLA_PKIX_ERROR_MITM_DETECTED Potential HTTPS interception

Why Firefox Shows the Error but Chrome Does Not

This is one of the most common questions.

Firefox maintains its own certificate trust store.

Chrome typically uses:

  • Windows Certificate Store
  • macOS Keychain

As a result:

  • Chrome may trust a certificate
  • Firefox may reject the same certificate

The certificate is not necessarily invalid.

The trust stores simply differ.

When Should You NOT Ignore This Error?

Never bypass the warning when visiting:

  • Online banking websites
  • Payment portals
  • Email providers
  • Cloud storage accounts
  • Business VPN portals
  • Websites requiring passwords

Adding a security exception disables Firefox's certificate verification protections.

How Website Owners Can Prevent SEC_ERROR_UNKNOWN_ISSUER

Website administrators should:

Use Trusted Certificate Authorities

Examples:

  • Let's Encrypt
  • DigiCert
  • Sectigo

Install Complete Certificate Chains

Missing intermediate certificates remain one of the leading causes of trust failures.

Monitor Expiration Dates

Automate renewals whenever possible.

Validate Across Browsers

Always test certificates in:

  • Firefox
  • Chrome
  • Edge
  • Safari

Use SSL Monitoring Tools

Continuous monitoring helps identify:

  • Expiration risks
  • Chain issues
  • CA trust problems

before visitors encounter errors.

Troubleshooting Tips for SEC_ERROR_UNKNOWN_ISSUER only in Firefox

If the same site loads without errors in Chrome or Edge, the certificate itself is valid and your OS trusts the CA - the problem is Firefox-specific. Check for extensions that intercept HTTPS requests (VPNs, ad blockers, privacy tools) by loading the site in Firefox's private window. If it loads there, an extension is the culprit. Disable extensions one by one to identify it.

SEC_ERROR_UNKNOWN_ISSUER vs ERR_CERT_AUTHORITY_INVALID: Chrome's equivalent error is ERR_CERT_AUTHORITY_INVALID. Both indicate the same underlying problem - an untrusted CA. The difference is browser-side: Firefox uses its own root store; Chrome delegates to the OS certificate store on Windows and macOS. A site showing SEC_ERROR_UNKNOWN_ISSUER only in Firefox but working in Chrome almost always means the CA is in your OS store but not in Mozilla's.

Corporate proxies and firewalls that perform SSL inspection generate this error for every HTTPS site. Your network administrator must distribute the proxy's root certificate to all Firefox installations via group policy or a managed Firefox configuration. Individual users on that network cannot fix it themselves.

Final Words

How to fix SEC_ERROR_UNKNOWN_ISSUER in Firefox depends on whether the problem originates from the website's certificate, Firefox's configuration, or something between them. Start by inspecting the certificate (Step 1) to identify the issuing CA, then work through the steps in order. For most users - especially those on corporate networks or with HTTPS-scanning antivirus software - Steps 2, 3, or the antivirus fix resolve the error within minutes. Resetting Firefox (Step 7) is rarely necessary but eliminates profile corruption as a variable.

Priya Mervana
SSL Security Researcher, SSLInsights.com

"The most common missed cause I see in SEC_ERROR_UNKNOWN_ISSUER cases is antivirus software with HTTPS scanning enabled. The AV product intercepts the connection and presents its own certificate - but Firefox hasn't been configured to trust the AV vendor's CA. Disabling HTTPS scanning in your antivirus settings resolves this immediately without touching Firefox at all."

PRACTITIONER'S NOTE

In reviewing hundreds of SEC_ERROR_UNKNOWN_ISSUER cases at SSLInsights, I've found that most users attempt to add a security exception before they've identified why the error occurred. That's the wrong order. Exceptions mask the problem rather than solving it, and they leave your connection unvalidated going forward. Always check the certificate details in Step 1 first - the "Issued By" field alone tells you whether you're dealing with a self-signed cert, an expired cert, an internal CA, or antivirus interference. Each has a different solution. Taking 30 seconds to read the certificate correctly saves significant troubleshooting time and keeps your browsing sessions genuinely secure.

– Priya Mervana | Verified Web Security Expert, SSLInsights.com

Frequently Asked Questions

Why am I suddenly getting SEC_ERROR_UNKNOWN_ISSUER on sites that worked before?

The three most common sudden-onset causes are: the site's certificate recently expired and hasn't been renewed, Firefox received an update that removed a previously trusted CA from its root store, or your antivirus software updated its HTTPS scanning feature and now injects a certificate Firefox doesn't recognize.

Is it safe to add a security exception for SEC_ERROR_UNKNOWN_ISSUER?

Only for sites you control or have independently verified. Adding an exception tells Firefox to stop validating that site's certificate entirely. On sites you don't control - especially any site with a login form - this exposes you to potential interception. The error exists for a reason; don't dismiss it without knowing why the certificate is untrusted.

I'm getting SEC_ERROR_UNKNOWN_ISSUER on my company network - how do I fix it?

Your company's network uses an internal Certificate Authority that Firefox doesn't recognize. Your IT/network administrator needs to distribute the enterprise root CA certificate to Firefox. Individual users cannot fix this without admin access, because the root certificate must be imported into Firefox's trusted authorities. Ask your IT team for the enterprise CA certificate file and follow Step 3 above.

Why does SEC_ERROR_UNKNOWN_ISSUER appear in Firefox but not in Chrome?

Firefox maintains its own root CA store independent of the operating system. Chrome uses the OS certificate store (Windows Certificate Store on Windows, Keychain on macOS). If a CA was added to the OS store (such as by a corporate IT policy or antivirus software) but not to Firefox's own store, Firefox rejects the certificate while Chrome accepts it.

Can antivirus software cause SEC_ERROR_UNKNOWN_ISSUER in Firefox?

Yes, and this is more common than most users realize. Antivirus products with HTTPS scanning (Avast, ESET, Kaspersky, Bitdefender, and others) intercept encrypted connections and re-sign them with their own CA certificate. If that CA isn't in Firefox's trusted list, every HTTPS site triggers this error. Open your antivirus settings and look for an option labelled "HTTPS scanning," "SSL scanning," or "Web Shield" and disable it, then test Firefox again.

Why is SEC_ERROR_UNKNOWN_ISSUER intermittent across different sites?

Intermittent occurrences across multiple unrelated sites usually indicate a corrupted Firefox certificate cache, an unstable antivirus HTTPS scanner, or a network-level proxy that sometimes intercepts traffic. Start with Step 5 (clear the cache) and verify your antivirus settings before escalating to a full Firefox reset.