"sec_error_unknown_issuer" in Iceweasel 22.0 If I visit a certain web-page with Iceweasel 22.0, then I receive the `sec_error_unknown_issuer` error. When I check the X.509v3 certificate hierarchy, then the top-most certificate is "DOD CA-28". However, common name of issuer of the "DOD CA-28" is not the "DOD CA-28" itself, but "DoD Root CA 2": !enter image description here Why isn't the "DoD Root CA 2" listed as the top certificate in certificate hierarchy? Am I correct that this breaks the chain of trust and thus the Iceweasel will display the `sec_error_unknown_issuer` error?

The server sends only the certificates leading to the trusted root, not the root certificate itself (because the browser cannot trust just anything it gets from the network). The trusted root in this case is probably "DoD Root CA 2", but this need to be installed as trusted in the browser. Because it is not installed the certificate chain cannot be verified and thus the leaf certificate cannot be trusted.

If you want to trust the "DoD Root CA 2" you have to get its certificate and import it as trusted into your browser. After you've done it validation of the certificates should succeed.