This thread was archived. Please ask a new question if you need help.
Why can't I add a security exception to my self signed certificate?
You used to be able to add an exception permanently to self signed certificates now it shows me the screen and no longer accepts the exception. Makes using firefox useless. I followed steps to add the certificate but it's beyond frustrating. Enough already. How do I fix it to accept my certificates permanently. The only useful solution that I can find so far is using another browser.
All Replies (10)
What version are you using -- Firefox 34.0.5?
Prior to Firefox 33, you could have Firefox overlook certain flaws in self-issued certificates but that code has been removed now.
If this is crucial to your work (or your happiness), you could try switching to the "extended support release" (ESR) version of Firefox. This version is designed for large businesses that need a slower rate of feature changes and is based on Firefox 31. More info: https://www.mozilla.org/firefox/organizations/
In Firefox 31, you can toggle a preference in the about:config preferences editor to revert to the older certificate checker: security.use_mozillapkix_verification (change to false)
The longer term solution is for the developers to learn more about the various problems with self-signed/self-issued/self-certified certificates that PKIX is rejecting and refine its approach. If you want to participate in those discussions, it would be useful to know more about the problem. For example, is it a router or other off-the-shelf device, or is it an internal application, etc. Here are links to the developer mailing list and an article about PKIX.
If you previously made a permanent exception for this certificate then you need to remove this exception.
- Tools > Options > Advanced > Certificates: View Certificates
You can open this chrome URI by pasting or typing this URI in the location/address bar to open the "Add Security Exception" window and check the certificate:
In the location field type/paste the URL of the website
- retrieve the certificate via the "Get certificate" button
- inspect the certificate via the "View..." button
Both FF 34 and 35 fail to allow the exception. Firefox was the only software that I allowed automatic updates. I felt that the developers had the user in mind and up to this point nothing broke. PKIX was and is not ready for prime time and should not have been introduced in the production release. This and the search engine switch from Google to Yahoo without asking the user will cause it to be removed from another 50 to 100 systems. This frustration and attitude is what we expect from Apple and Microsoft not from a community supported developer.
Raising security standards for SSL certificates was done with the goal of better protecting the typical user. If you want to have Firefox modified to be more accepting of your self-signed/self-issued/self-certified certificates, please give your feedback using the links I provided earlier (enterprise list and/or developer list and/or bug tracking system) so you can get technical feedback on how to do it or when that might happen.
That's not what this does. This just conditions the user to always click on accept. Because the user cannot add the permanent exception which is safer than having to constantly add the exceptions. This doesn't raise security standards it just becomes inconvenient for the user who has to lower the standard. What is safer plain text passwords over http or a self signed certificates over https?. There is no need to pay someone to tell me who I am and what certificate I wish to accept. Sure, having a certificate authority is more secure than self signed certificates but it doesn't negate the fact that self signed certificates are more secure than plain text.
Hi menext, in my opinion, the typical user would rarely if ever encounter a self-signed certificate in their daily browsing.
The PKIX library does allow you to add an exception for a self-signed certificate (just like any other certificate that can't be chained up to a trusted root) under some circumstances. However, assessing the exact problem with your CA certificate is difficult without access to it. Can you provide a URL?
Unfortunately it's affecting the typical user. I have been convincing people if they valued control of their browser then they should switch to Firefox and keep the automatic updates activated. Now these same people are having issues and using IE or Chrome and they are uninstalling FF. The last 2 months I've stopped trying to convince people to use FF because every new FF release is worse than the last.
I don't know what the PKIX library allows. What I know is that FF does not allow the addition of a permanent exception on a self signed certificate. You have to confirm the exception every time you connect which makes it less than useless. My self signed certificates are behind firewalls so I can't just provide a URL. Nor is it just my certificate it's any self-signed certificate created with OpenSSL as instructed on their site on the creation of self signed certificates. Numerous hardware, applications like Webmin, Plesk and such. It is mentioned countless times on the forums. There are many solutions marked as solved but the solution does not apply or the problem returns, or FF removes the fix/option with the next patch.
When a certificate is not signed by a registered CA then allow the user to accept the certificate for the duration of the certificate. It's not up to FF to tell us to spend money or waste energy just because we don't want information in the hands of script kiddies.
Just look at the time we wasted on this discussion which shouldn't even be happening.
(In other words, without knowing exactly why the cert doesn't work, I have nothing to add to the previous discussion.)
as noted from your link;
Update: As noted in comments, this should not work in Firefox 33 (or later).
Hi menext, what does not work in Firefox 33 and later is the preference introduced in Firefox 31 to disable use of the PKIX library. That preference only works in Firefox 31 and 32. (Hence the suggestion in my first reply.)