Cannot add a self signed certificate in Firefox

iis https certificate firefox self-signed-certificate

6,293

In order to be added to the certificate authority list in Firefox a certificate must have X509v3 extension CA:TRUE, e.g.

    X509v3 extensions:
        X509v3 Key Usage: critical
            Certificate Sign, CRL Sign
        X509v3 Basic Constraints: critical
            CA:TRUE

This would be the case if you had your own private CA certificate used for signing your server certificates: you could import it and use it for signing all your private server certificates, making them trusted in the browser at once.

With self-signed certificates the simplest solution is to add an exception, instead. Shortcut: chrome://pippki/content/exceptionDialog.xul. This makes an exception for THIS certificate alone. You'll still get a warning for untrusted certificate if the certificate changes.

It has peen possible to allow Firefox to trust CAs from Windows since Firefox 49 (Bug 1265113). The configuration parameter is security.enterprise_roots.enabled. It won't be set to true by default (Bug 1314010), but having this as a configuration preference makes it possible to distribute it via Group Policy, which makes it a perfect extension for CA certificates installed via GPO.

Currently by default general.config.filename seems already set to mozilla.cfg. You just need to add this line to file (replace it using Group Policy) %ProgramFiles%\Mozilla Firefox\Mozilla.cfg:

pref("security.enterprise_roots.enabled", true);

To lock the setting so that users can't modify it using about:config, use lockPref(), instead.

6,293

galinette

Updated on September 18, 2022

Comments

galinette over 1 year

I need to set up an IIS webserver that will be accessed by a small, finite number of users. I was considering using a self-signed certificate only, and manually installing it on the user's systems.

So I generated the certificate with IIS tools, installed it on the webserver, and exported it in a .cer file. Adding it the Trusted Authorities in windows settings works well with Internet Explorer : it removes the unsecure warning.

In firefox, I can't make it work. Enabling the security.enterprise_roots.enabled option doesn't help. In Firefox Certificate settings, I can't import it to the Authorities panel, I get an error message :

This is not a certificate authority certificate, so it can't be imported into the certificate authority list

What can I do? I don't want to add an exception in Firefox, as it permanently disables any certificate checking on the URL, which means any man in the middle attack becomes straightforward. I want the user being blocked from accessing the website if the certificate changes on the server.
- Lex Li almost 6 years
  
  If your site is public, do use Let's Encrypt free certificates. If internal, consult your network administrators to get internal certificates (from AD or other sources). Those are way better than the self-signed ones, especially when IIS Manager does not generate good enough test certificates, as the answer below shows.
- Lex Li almost 6 years
  
  If you do want to use self-signed certificates, Jexus Manager generates better ones, jexusmanager.com/en/latest/tutorials/self-signed.html
- Esa Jokinen almost 6 years
  
  @LexLi: Your affiliation with Jexus Manager = © Copyright 2015, Lex Li.
Esa Jokinen almost 6 years

It's not an URL exception but a certificate exception! If the certificate changes, it will show a new alert.
Agent_L over 4 years

chrome://pippki/content/exceptionDialog.xul doesn't work for me (FF72, MacOS10.15).