Wikipedia.org is using a site cert from LetsEncrypt. I remember a while
ago when there was a problem with LE certs, because the root (CA) cert
on the client had expired. Some web clients use the global cert store
in Windows (run certmgr.msc), but Mozilla decided to use a private cert
store in Firefox. You might get a newer cert in the global store, but
Firefox would still fail to validate a site cert because the root cert
in its private store had expired. As I recall, LE provided a .cer file
you could use to add to Firefox's private cert store.
That has some example sites with expired or revoked site certs that you
can click on to load to see the error you get in your web client.
I believe you can get Firefox to interrogate the global cert store in
Windows by changing the following setting to True:
I enabled that setting long ago, probably when it first showed up,
because there were CA/trusted certs in the Windows global cert store
that were newer than what Mozilla pushed in Firefox in its private cert
Section "Using built-in Windows and MacOS support".
The article notes "This setting only imports certificates from the
Windows Trusted Root Certification Authorities store, not corresponding
Intermediate Certification Authorities store." I opened certmgr.msc,
but didn't find LE under the Trusted Root Certification node in the tree
list. I thought I saw it before, but the article shows the hierarchy of
cert issuers of which one of them is ISGR, and that one is listed under
the Trusted Root Certificates node in the global cert store. For me
under Windows 10 Home, details of the ISRG Root X1 cert are:
Valid: 6/4/2015 to 6/4/2035
The OP could look in certmgr.msc to see if there is an LE cert listed
under the Trusted Root Cert group, or if the ISGR Root X1 cert is
listed, and what are the expiration dates for them. If expired, he
could try to use the LE web page to get the CA cert for LE, and install
it into Firefox's private cert store.
Scroll down to "Certificates", and click "View Certificates ...".
Click "Import ...".
You can import the .dem or .der file you download from the LE site.
I haven't had to do this, but I'm guessing this is how you get LE's root
cert (actually ISGR Root X1) imported into Firefox's private certificate
store. Of course, if you use the about:config setting then Firefox
should be auto-importing the Trusted certs from the Windows global cert
store. If the setting alone doesn't work (because the LE/ISGR cert is
expired in Windows global cert store) then you have to see if importing
the .der or .pem file from LE's site into Firefox's private cert store
will get it working again to visit Wikipedia.
There was a big brouhaha many years ago for sites using LE's free site
certs, and the actual root cert not getting updated in the Windows
global cert store.
If you want to add LE/ISGR root certificate into Windows' global cert
store, you run certmgr.msc, right-click on the Personal -> Certificate
node, and use All Tasks -> Import on the downloaded .der or .pem file.
However, the description of the about:config setting in Firefox says it
auto-imports only certs in the Trusted Root group, not from the Personal
group, so you could end up importing into the Windows global cert store
to get all other web clients to use the new cert, and still have to add
the new LE cert to Firefox's private cert store.
I have never found an official declaration from Mozilla why they feel
compelled to wrest control away from the global cert store (in Windows
and Linux) to use their own private cert store. I've seen inference
that Mozilla's thinks it knows better which root certs to support across
various platforms for consistency, but that's not an official statement
The OP said "some web browsers". That does not say WHICH web browsers,
or versions. Hard to supply focused responses on vague details. For
Firefox (and variants), and because Firefox uses its own private cert
store, looks like the security.enterprise_roots.enabled setting became
available if Firefox 49 as per:
The Edge and Chrome web browsers use the Windows global cert store, so,
for them, you have to update the global cert store in Windows.