X
Tap here to go to the mobile version of the site.

منتدى الدعم

You do not recognize my security certification and I cannot make an exception on every single webpage I visit.

Posted

I work for a state organization use a secure proxy server and have an updated certification. That said Firefox does not recognize the cert and throws an error on every single page I open. Some pages do not give me the option to create an exception and to be honest nobody would find a browser useful if they have to create an exception to reach every page. I do not have the legenda file that is mentioned it other posts I already checked. I cannot change my cert it is correct. How does this get fixed or do I just delete.

I work for a state organization use a secure proxy server and have an updated certification. That said Firefox does not recognize the cert and throws an error on every single page I open. Some pages do not give me the option to create an exception and to be honest nobody would find a browser useful if they have to create an exception to reach every page. I do not have the legenda file that is mentioned it other posts I already checked. I cannot change my cert it is correct. How does this get fixed or do I just delete.

Additional System Details

Application

  • User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36

More Information

jscher2000
  • Top 10 Contributor
8890 solutions 72730 answers

Yes, if you think about it for a second, in order to read everything going in and out, the proxy server needs to generate a fake certificate for every site you visit using HTTPS. One question you might have is, why don't other browsers object to the fake certificates?! I'll come back to that.

Since it definitely is not efficient to create exceptions on a site-by-site basis, what you need to do is set Firefox to trust everything signed by the proxy. Here's how:

Option #1: Import the Signing Certificate

If you import the proxy's signing certificate into Firefox's certificate store, then all of its fake certificates will be trusted.

(A) If you do not already have a certificate file ready to import, you can export it from IE or Chrome.

  • This may appear in IE's Certificates dialog OR it may appear when you view the certificate details on any secure page you load in IE/chrome
  • The Export or Copy to file button starts the Export Wizard. Use the DER format and save to a convenient location

Example screenshots: https://support.mozilla.org/questions/1199797#answer-1064849

(B) When finished with all the necessary exports to complete the chain in the Certification Path, you can import the certificates into the Firefox Authorities tab:

  • Windows: "3-bar" menu button (or Tools menu) > Options
  • Mac: "3-bar" menu button (or Firefox menu) > Preferences
  • Linux: "3-bar" menu button (or Edit menu) > Preferences
  • Any system: type or paste about:preferences into the address bar and press Enter/Return to load it

In the search box at the top of the page, type cert and Firefox should filter the list. Click "View Certificates" to open the Certificate Manager and click the "Authorities" tab. Then you can use the "Import" button to import the proxy server's certificate.

(Fourth and fifth screenshots in the above-linked post.)

When asked, I suggest allowing the certificate for websites only unless your IT suggests otherwise.

It's a bit of pain, but the advantage of that approach is that you are making the minimal compromise of security.

Option #2: Trust all Signing Certificates in the Windows Cert Store

Most likely, your IT configured your system to trust the proxy so you could have transparent access in IE and Chrome, which share this certificate store. Firefox normally uses its own certificate store, but you can make it use the system certificate store instead. Here's how:

(A) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button accepting the risk.

(B) In the search box above the list, type or paste enterp and pause while the list is filtered

(C) Double-click the security.enterprise_roots.enabled preference to switch the value from false to true

I'm not sure whether that will start working immediately or after the next time to exit Firefox and start it up again. I guess you'll know if you visit an HTTPS address and Firefox no longer objects.

The disadvantage of this method is that any security compromise of the system certificate store will affect Firefox, too. This may be a lesser concern on a business system.

Do either of those work for you?

Yes, if you think about it for a second, in order to read everything going in and out, the proxy server needs to generate a fake certificate for every site you visit using HTTPS. One question you might have is, why don't other browsers object to the fake certificates?! I'll come back to that. Since it definitely is not efficient to create exceptions on a site-by-site basis, what you need to do is set Firefox to trust everything signed by the proxy. Here's how: '''Option #1: Import the Signing Certificate''' If you import the proxy's signing certificate into Firefox's certificate store, then all of its fake certificates will be trusted. (A) If you do not already have a certificate file ready to import, you can export it from IE or Chrome. * This may appear in IE's Certificates dialog OR it may appear when you view the certificate details on any secure page you load in IE/chrome * The Export or Copy to file button starts the Export Wizard. Use the DER format and save to a convenient location ''Example screenshots:'' https://support.mozilla.org/questions/1199797#answer-1064849 (B) When finished with all the necessary exports to complete the chain in the Certification Path, you can import the certificates into the Firefox Authorities tab: * Windows: "3-bar" menu button (or Tools menu) > Options * Mac: "3-bar" menu button (or Firefox menu) > Preferences * Linux: "3-bar" menu button (or Edit menu) > Preferences * Any system: type or paste '''about:preferences''' into the address bar and press Enter/Return to load it In the search box at the top of the page, type ''cert'' and Firefox should filter the list. Click "View Certificates" to open the Certificate Manager and click the "Authorities" tab. Then you can use the "Import" button to import the proxy server's certificate. (Fourth and fifth screenshots in the above-linked post.) ''When asked, I suggest allowing the certificate for websites only unless your IT suggests otherwise.'' It's a bit of pain, but the advantage of that approach is that you are making the minimal compromise of security. '''Option #2: Trust all Signing Certificates in the Windows Cert Store''' Most likely, your IT configured your system to trust the proxy so you could have transparent access in IE and Chrome, which share this certificate store. Firefox normally uses its own certificate store, but you can make it use the system certificate store instead. Here's how: (A) In a new tab, type or paste '''about:config''' in the address bar and press Enter/Return. Click the button accepting the risk. (B) In the search box above the list, type or paste '''enterp''' and pause while the list is filtered (C) Double-click the '''security.enterprise_roots.enabled''' preference to switch the value from false to true I'm not sure whether that will start working immediately or after the next time to exit Firefox and start it up again. I guess you'll know if you visit an HTTPS address and Firefox no longer objects. The disadvantage of this method is that any security compromise of the system certificate store will affect Firefox, too. This may be a lesser concern on a business system. Do either of those work for you?