Các câu trả lời gần đây cho How to trust a website only when there is manually imported certificate?https://support.mozilla.org/vi/questions/10714402015-07-24T23:07:05-07:00OK, thanks for your time.
The solution is: add the certificate exception in non-private firefox wind2015-07-24T23:07:05-07:00publicusernamehttps://support.mozilla.org/vi/questions/1071440#answer-759186<p>OK, thanks for your time.
</p><p>The solution is: add the certificate exception in non-private firefox window. After restart, the cert is in cert_override.txt file in profile folder and Firefox connects to the server even if the root CA trust bits are disabled.
</p><p>This is exactly the behavior I was looking for&nbsp;:)
</p>Yes, both senarios are recognized as mis-issued in Mozilla's CA certificate policy. Mentioned here
2015-07-20T04:17:58-07:00rmcguiganhttps://support.mozilla.org/vi/questions/1071440#answer-756663<p>Yes, both senarios are recognized as mis-issued in Mozilla's CA certificate policy. Mentioned <a href="https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/" rel="nofollow">here</a>
</p>> I don't know for what reason you have distrusted all built-in root certificates, but doing that2015-07-17T03:10:37-07:00publicusernamehttps://support.mozilla.org/vi/questions/1071440#answer-755275<p>&gt; I don't know for what reason you have distrusted all built-in root certificates, but doing that doesn't make this easier.
</p><p>I explained this at the beginning. I want to trust only to manually imported certificates, not to any certificate from the root CAs. So the "set root CA's trust bits on" is not a solution. I hope it is clearer now.
</p>Only if trust bit(s) are set then you can trust a website.
You would normally have the trust bits se2015-07-16T13:12:02-07:00cor-elhttps://support.mozilla.org/vi/questions/1071440#answer-755034<p>Only if trust bit(s) are set then you can trust a website.
You would normally have the trust bits set on a built-in root certificate.
I assume that you would have to import the certificate under the authorities tab and set its trust bits to trust websites.
</p><p>I don't know for what reason you have distrusted all built-in root certificates, but doing that doesn't make this easier.
</p>Hi,
thanks for reply!
By "FF still complains" I mean standard error page "This Connection is Untrust2015-07-16T01:49:30-07:00publicusernamehttps://support.mozilla.org/vi/questions/1071440#answer-754640<p>Hi,
thanks for reply!
</p><p>By "FF still complains" I mean standard error page "This Connection is Untrusted" with, or without, "Add exception" button.
</p><p>To give you a real example:
</p><p>I have current certificate for <a href="http://support.mozilla.org" rel="nofollow">support.mozilla.org</a> (SHA-256 = 2F:D5:63:1B:B0:CF:A0:1E:86:B3:F2:78:F1:0B:00:6F:5A:4B:E2:58:50:10:5E:0B:A3:A8:6E:4B:C4:5F:9F:1B) manually imported in Preferences-&gt;Advanced-&gt;Certificates-&gt;View Certificates-&gt;Servers list. I also have the root CA for this certificate (DigiCert High Assurance EV Root CA) distrusted (all 3 bits off).
</p><p>But when I connect to the <a href="https://support.mozilla.org" rel="nofollow">https://support.mozilla.org</a>, I get the Untrusted Connection error page.
</p><p>I want to set that the *manually imported* certificate (identified by checksums etc) would allow the connection even if his root CA is distrusted.
</p><p>Any ideas how to do set it?
</p><p>Thanks!
</p>Hi,
When you say FF still complains :( can you please provide a screenshot of the error, we w2015-07-14T11:46:57-07:00rmcguiganhttps://support.mozilla.org/vi/questions/1071440#answer-753897<p>Hi,
When you say <em>FF still complains&nbsp;:(</em> can you please provide a screenshot of the error, we will need some more info to help.
</p><p>For reference:
</p>
<ul><li><a href="https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/" rel="nofollow">https://www.mozilla.org/en-US/about/g.../policy/</a>
</li></ul>
<p>Note, real question might be was config entries need to be disabled.
</p>