tls – Why does Firefox no longer recognise certificates issued by Multicert / Camerfirma?

Today I noticed that Firefox 88.0 beta (on macOS) is rejecting TLS certificates for many Portuguese websites – including most government websites – with the error SEC_ERROR_UNKNOWN_ISSUER.

Example sites:

These certificates all have in common that they are issued by Multicert (CN: MULTICERT SSL Certification Authority 001), which is itself certified by Camerfirma (CN: Global Chambersign Root - 2008).

I cannot tell from the error which part of the certificate chain (Multicert or Camerfirma) is “unknown”, and nor can I find any information about a revocation online (though I can see that Camerfirma has been plagued with poor security practices for years).

The same websites currently load fine in release versions of Safari and Chrome, as well as Firefox 78.9.0esr.

  • Why is this major European CA “unknown” in current Firefox beta?
  • Has there been a security incident with Multicert or Camerfirma that I should be aware of?