X
Tap here to go to the mobile version of the site.

Support Forum

What do actively distrusted certificates look like in the certificate manager?

Posted

In the "Servers" tab, I see a bunch of certificates, including my certificate exceptions, as well as certificates from CNNIC and DigiNotar. From what I've found on the web, these CNNIC and DigiNotar certificates have been actively distrusted by Mozilla. Do such actively distrusted certificates appear in the certificate manager? If so, what do they look like in the UI? If my browser is actively distrusting these certificates, the UI isn't making this immediately obvious.

Thanks!

In the "Servers" tab, I see a bunch of certificates, including my certificate exceptions, as well as certificates from CNNIC and DigiNotar. From what I've found on the web, these CNNIC and DigiNotar certificates have been actively distrusted by Mozilla. Do such actively distrusted certificates appear in the certificate manager? If so, what do they look like in the UI? If my browser is actively distrusting these certificates, the UI isn't making this immediately obvious. Thanks!

Additional System Details

Installed Plug-ins

  • Gecko Media Player 1.0.9Video Player Plug-in for QuickTime, RealPlayer and Windows Media Player streams using MPlayer
  • Next Generation Java Plug-in 11.40.2 for Mozilla browsers
  • Shockwave Flash 11.2 r202

Application

  • User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0

More Information

Microrobot 29 solutions 278 answers

Hello!

The only "safe" certificate should be CNNIC. Diginotar was removed from Firefox if you would like to read about it please take a look at this link: https://blog.mozilla.org/security/2011/09/02/diginotar-removal-follow-up/ This was removed in 2011 so it has been quite a long time. Be sure to remove Diginotar however CNNIC is safe.

Hello! The only "safe" certificate should be CNNIC. Diginotar was removed from Firefox if you would like to read about it please take a look at this link: https://blog.mozilla.org/security/2011/09/02/diginotar-removal-follow-up/ This was removed in 2011 so it has been quite a long time. Be sure to remove Diginotar however CNNIC is safe.

Question owner

The CNNIC certificate I am seeing is one for MCSHOLDING, an intermediate CA that has been actively distrusted: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.18.1_release_notes#Notable_Changes_in_NSS_3.18.1

Thanks for the response, but I'm still wondering what distrusted certificates look like in the certificate manager UI, if they show up at all.

The CNNIC certificate I am seeing is one for MCSHOLDING, an intermediate CA that has been actively distrusted: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.18.1_release_notes#Notable_Changes_in_NSS_3.18.1 Thanks for the response, but I'm still wondering what distrusted certificates look like in the certificate manager UI, if they show up at all.

Modified by liujed

Microrobot 29 solutions 278 answers

Hello again!


I have the certificate personally. However if you feel this is a security concern or even a privacy concern. You can always "Delete or distrust" the certificate.

Hello again! I have the certificate personally. However if you feel this is a security concern or even a privacy concern. You can always "Delete or distrust" the certificate.
cor-el
  • Top 10 Contributor
  • Moderator
17564 solutions 158858 answers

If you or Mozilla disables built-in root certificates then their trust bits are removed, so they can no longer be used as a trusted root certificate. Such certificates are present as a permanent exception in the Servers tab.

If you or Mozilla disables built-in root certificates then their trust bits are removed, so they can no longer be used as a trusted root certificate. Such certificates are present as a permanent exception in the Servers tab.