X
Nhấn vào đây để đến phiên bản di động của trang web.

Diễn đàn trợ giúp

How to trust a website only when there is manually imported certificate?

Được đăng

Hello,

how to trust a website only when there is manually imported certificate?

I disabled all CAs and want to set FF to: 1) trust (and connect) only to sites for which I have imported certificate 2) do NOT trust to any other certificate (even issued by CA with imported cert).

Even if I have the certificate in the "Servers" list, FF still complains :( Tried in FF 39, 41 and 42 (linux 64bit).

Many thanks

Hello, how to trust a website only when there is manually imported certificate? I disabled all CAs and want to set FF to: 1) trust (and connect) only to sites for which I have imported certificate 2) do NOT trust to any other certificate (even issued by CA with imported cert). Even if I have the certificate in the "Servers" list, FF still complains :( Tried in FF 39, 41 and 42 (linux 64bit). Many thanks

Giải pháp được chọn

OK, thanks for your time.

The solution is: add the certificate exception in non-private firefox window. After restart, the cert is in cert_override.txt file in profile folder and Firefox connects to the server even if the root CA trust bits are disabled.

This is exactly the behavior I was looking for :)

Đọc câu trả lời này trong ngữ cảnh 0

Chi tiết hệ thống bổ sung

Phần bổ trợ đã cài đặt

  • IE Tab 2 Plug-in for Mozilla/Firefox
  • Next Generation Java Plug-in 10.7.2 for Mozilla browsers
  • Shockwave Flash 16.0 r0
  • Shockwave Flash 18.0 r0
  • 5.1.40416.0
  • VLC media player Web Plugin 2.0.2

Ứng dụng

  • Chuỗi đại diện người dùng: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0

Thông tin chi tiết

guigs 1072 giải pháp 11697 câu trả lời
Được đăng

Hi, When you say FF still complains :( can you please provide a screenshot of the error, we will need some more info to help.

For reference:

Note, real question might be was config entries need to be disabled.

Hi, When you say ''FF still complains :('' can you please provide a screenshot of the error, we will need some more info to help. For reference: *[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/] Note, real question might be was config entries need to be disabled.

Người tạo câu hỏi

Hi, thanks for reply!

By "FF still complains" I mean standard error page "This Connection is Untrusted" with, or without, "Add exception" button.

To give you a real example:

I have current certificate for support.mozilla.org (SHA-256 = 2F:D5:63:1B:B0:CF:A0:1E:86:B3:F2:78:F1:0B:00:6F:5A:4B:E2:58:50:10:5E:0B:A3:A8:6E:4B:C4:5F:9F:1B) manually imported in Preferences->Advanced->Certificates->View Certificates->Servers list. I also have the root CA for this certificate (DigiCert High Assurance EV Root CA) distrusted (all 3 bits off).

But when I connect to the https://support.mozilla.org, I get the Untrusted Connection error page.

I want to set that the *manually imported* certificate (identified by checksums etc) would allow the connection even if his root CA is distrusted.

Any ideas how to do set it?

Thanks!

Hi, thanks for reply! By "FF still complains" I mean standard error page "This Connection is Untrusted" with, or without, "Add exception" button. To give you a real example: I have current certificate for support.mozilla.org (SHA-256 = 2F:D5:63:1B:B0:CF:A0:1E:86:B3:F2:78:F1:0B:00:6F:5A:4B:E2:58:50:10:5E:0B:A3:A8:6E:4B:C4:5F:9F:1B) manually imported in Preferences->Advanced->Certificates->View Certificates->Servers list. I also have the root CA for this certificate (DigiCert High Assurance EV Root CA) distrusted (all 3 bits off). But when I connect to the https://support.mozilla.org, I get the Untrusted Connection error page. I want to set that the *manually imported* certificate (identified by checksums etc) would allow the connection even if his root CA is distrusted. Any ideas how to do set it? Thanks!
cor-el
  • Top 10 Contributor
  • Moderator
17479 giải pháp 157955 câu trả lời
Được đăng

Only if trust bit(s) are set then you can trust a website. You would normally have the trust bits set on a built-in root certificate. I assume that you would have to import the certificate under the authorities tab and set its trust bits to trust websites.

I don't know for what reason you have distrusted all built-in root certificates, but doing that doesn't make this easier.

Only if trust bit(s) are set then you can trust a website. You would normally have the trust bits set on a built-in root certificate. I assume that you would have to import the certificate under the authorities tab and set its trust bits to trust websites. I don't know for what reason you have distrusted all built-in root certificates, but doing that doesn't make this easier.

Người tạo câu hỏi

> I don't know for what reason you have distrusted all built-in root certificates, but doing that doesn't make this easier.

I explained this at the beginning. I want to trust only to manually imported certificates, not to any certificate from the root CAs. So the "set root CA's trust bits on" is not a solution. I hope it is clearer now.

> I don't know for what reason you have distrusted all built-in root certificates, but doing that doesn't make this easier. I explained this at the beginning. I want to trust only to manually imported certificates, not to any certificate from the root CAs. So the "set root CA's trust bits on" is not a solution. I hope it is clearer now.
guigs 1072 giải pháp 11697 câu trả lời
Được đăng

Yes, both senarios are recognized as mis-issued in Mozilla's CA certificate policy. Mentioned here

Yes, both senarios are recognized as mis-issued in Mozilla's CA certificate policy. Mentioned [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ here]

Giải pháp được chọn

OK, thanks for your time.

The solution is: add the certificate exception in non-private firefox window. After restart, the cert is in cert_override.txt file in profile folder and Firefox connects to the server even if the root CA trust bits are disabled.

This is exactly the behavior I was looking for :)

OK, thanks for your time. The solution is: add the certificate exception in non-private firefox window. After restart, the cert is in cert_override.txt file in profile folder and Firefox connects to the server even if the root CA trust bits are disabled. This is exactly the behavior I was looking for :)