This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

How do I trust a self-signed issuer certificate in version 54.0?

  • 5 replies
  • 2 have this problem
  • 2 views
  • Last reply by Hamburgo

more options

Since years, I am importing my self-signed issuer certificate over “Authorities” and my intranet-application is running very well as https-application with a green padlock.

Since the update to version 54.0 I get the error code: SEC_ERROR_UNKNOWN_ISSUER.

To fix this issue I have to add the URL as security exception rule and get the yellow padlock, but in this way I loose a lot of trust by my customers.

Is that a new bug ?

If no, how can I get back the green padlock with self-signed issuer certificates?

Since years, I am importing my self-signed issuer certificate over “Authorities” and my intranet-application is running very well as https-application with a green padlock. Since the update to version 54.0 I get the error code: SEC_ERROR_UNKNOWN_ISSUER. To fix this issue I have to add the URL as security exception rule and get the yellow padlock, but in this way I loose a lot of trust by my customers. Is that a new bug ? If no, how can I get back the green padlock with self-signed issuer certificates?

All Replies (5)

more options

Sorry for the late reply! The mid of June to end of June was a very busy time for us and your question slipped by.

Could you please share the url of your website? Maybe someone here with more knowledge than me can inspect your cert & find out why exactly it's throwing that error. I have a few people I can ask to review it so we can help you get this solved as soon as possible.

Modified by NoahSUMO

more options

A self-signed certificate can never be trusted in the same way as a certificate that can be chained to a built-in trusted root certificate. If you use such a self-signed certificate on an internet web page server than visitors will always have the problem to add an exception. You may have to remove an existing exception to be able to add the certificate another time.

more options

@Noah_SUMO

The URL is: https://kmu-office.spdns.de/TDL

The URL call the login-site of a php-web-application

It is not a web-site for public using.

more options

@cor-el I will be agree with you in the case of public web-sites for public use.

But in my case I am using the self-signed certificates only for an intranet-application to get a secure line for registered users (customers).

So, for my case of using the handling of FireFox up to version 53.xx was optimal (Public users will be got the error code "SEC_ERROR_UNKNOWN_ISSUER" and my registered customers got a secured line with a green padlock, because they had imported my self-signed certificate over “Authorities”, before.

And I do not have any idea / arguments why this way of using self-signed certificate should not be possible in the future.

What is the problem / risk for the other users of the FireFox-community?

From my side it will be more logical that FireFox block the possibility to add an exception for self-signed certificates and will only trust a self-signed certificate if it is imported over the “Authorities”-property, because that will be a intentional doing of the individual FireFox user in trust of this single self-signed certificate.

My opinion is, on the first level it is important that a FireFox user will/can be trust a certificate and only on the second level the whole FireFox-community.

Modified by Hamburgo

more options

@Noah_SUMO Hopefully, you can help and fix that bug or give me a other solution with the same effect.

Many Thanks

Modified by Hamburgo