This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Firefox does not accept Charles Proxy certificate, gives me a SEC_ERROR_UNKNOWN_ISSUER

more options

I use Charles Proxy during my development. I have it to proxy some of my connections. I have no issues working with Chrome, Safari or Edge but, I cannot get it to work with Firefox.

All I get is a:

The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER

With no options to add as exception

I use Charles Proxy during my development. I have it to proxy some of my connections. I have no issues working with Chrome, Safari or Edge but, I cannot get it to work with Firefox. All I get is a: The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER With no options to add as exception

Chosen solution

On Mac, you would export from the keychain. E.g., https://support.mozilla.org/questions/1236194 Apologies for the oversight.

Read this answer in context 👍 0

All Replies (3)

more options

Yes, Firefox normally doesn't trust an unknown "man in the middle" to issue website certificates. As you would hope!!

Here are two workarounds to get Firefox to trust all of the fake certificates your proxy will generate:

Option #1: Import the Signing Certificate

If you import the Charles Proxy signing certificate into Firefox's certificate store, then all of its fake certificates will be trusted.

(A) If you do not already have a certificate file ready to import, you can export it from IE or Chrome.

  • This may appear in IE's Certificates dialog OR it may appear when you view the certificate details on any secure page you load in IE/chrome
  • The Export or Copy to file button starts the Export Wizard. Use the DER format and save to a convenient location

Example screenshots: https://support.mozilla.org/questions/1199797#answer-1064849

(B) When finished with all the necessary exports to complete the chain in the Certification Path, you can import the certificates into the Firefox Authorities tab:

  • Windows: "3-bar" menu button (or Tools menu) > Options
  • Mac: "3-bar" menu button (or Firefox menu) > Preferences
  • Linux: "3-bar" menu button (or Edit menu) > Preferences
  • Any system: type or paste about:preferences into the address bar and press Enter/Return to load it

In the search box at the top of the page, type cert and Firefox should filter the list. Click "View Certificates" to open the Certificate Manager and click the "Authorities" tab. Then you can use the "Import" button to import the proxy server's certificate.

(Fourth and fifth screenshots in the above-linked post.)

When asked, I suggest allowing the certificate for websites only unless your IT suggests otherwise.

It's a bit of pain, but the advantage of that approach is that you are making the minimal compromise of security.

Option #2: Trust all Signing Certificates in the Windows Cert Store

(A) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button accepting the risk.

(B) In the search box above the list, type or paste enterp and pause while the list is filtered

(C) Double-click the security.enterprise_roots.enabled preference to switch the value from false to true

I'm not sure whether that will start working immediately or after the next time to exit Firefox and start it up again. I guess you'll know if you visit an HTTPS address and Firefox no longer objects.

The disadvantage of this method is that any security compromise of the system certificate store will affect Firefox, too. This may be a lesser concern on a business system.

Do either of those work for you?

more options

Chosen Solution

On Mac, you would export from the keychain. E.g., https://support.mozilla.org/questions/1236194 Apologies for the oversight.

more options

Thank you for your help! That solved it for me.