Funkcionalnosć tutoho sydła so přez wothladowanske dźěła wobmjezuje, kotrež maja waše dožiwjenje polěpšić. Jeli nastawk waš problem njerozrisuje a chceće prašenje stajić, wobroćće so na naše zhromodźenstwo pomocy, kotrež na to čaka, wam na @FirefoxSupport na Twitter a /r/firefox na Reddit pomhać.

Pomoc přepytać

Hladajće so wobšudstwa pomocy. Njenamołwimy was ženje, telefonowe čisło zawołać, SMS pósłać abo wosobinske informacije přeradźić. Prošu zdźělće podhladnu aktiwitu z pomocu nastajenja „Znjewužiwanje zdźělić“.

Dalše informacije

Trouble importing router certificate for HTTPS

more options

I would like to use HTTPS to access my router's web interface without having to bypass the "Warning: Potential Security Risk Ahead" page.

Following my router's instructions I exported the certificate. I then accessed the Privacy & Security settings in Preferences, and under View Certificates I imported the router's certificate.

When opening the HTTPS web interface Firefox reports SEC_ERROR_INADEQUATE_KEY_USAGE.

I would like to use HTTPS to access my router's web interface without having to bypass the "Warning: Potential Security Risk Ahead" page. Following my router's instructions I exported the certificate. I then accessed the Privacy & Security settings in Preferences, and under View Certificates I imported the router's certificate. When opening the HTTPS web interface Firefox reports SEC_ERROR_INADEQUATE_KEY_USAGE.
Připowěsnjene fota wobrazowki

Wot Joe Buckner změnjeny

Wubrane rozrisanje

Joe Buckner said

My preferences are set to permanent private browsing. With this preference it seems Firefox will only create a temporary exception. ... I am not technically proficient to know if this is a design bug or a security feature.

Someone was very thorough in figuring out the unexpected locations on disk that URLs you visited during recent sessions might be discovered. ;-)

Final question. Is this solution to my problem (accessing my router's web interface without the warning message) safer than simply the default HTTP access given that Firefox does not accept the certificate?

There are two aspects:

(1) Verifying that the server is the one it says it is and not an impostor. This part fails when the certificate chain cannot be verified.

(2) Encrypting your session. This part is still useful if, for example, you are entering a password or other sensitive credentials. Using HTTPS prevents someone sniffing on the network from reading that.

Tutu wotmołwu w konteksće čitać 👍 0

Wšě wotmołwy (17)

more options

This error could indicate that the router has a self-signed certificate, but the certificate's listed uses do not include being used to sign certificates.

Can you describe what you exported and where you imported it to?

Perhaps you could also link to the article with the instructions.

more options

See also:

  • Bug 1590217 - FF presents SSL Error: SEC_ERROR_INADEQUATE_KEY_USAGE
more options

jscher2000 said

This error could indicate that the router has a self-signed certificate, but the certificate's listed uses do not include being used to sign certificates. Can you describe what you exported and where you imported it to? Perhaps you could also link to the article with the instructions.

I followed these instructions from ASUS. They are, however, written for Windows 10 and Google Chrome. So the part I followed was:

How to download certification from ASUSWRT and update to your Browser:

Step 1: Go to Administration -> System tab.

            Authentication Method : Select HTTPS, and click Apply to save.

Step 2: Download certificate: Click Export button, then you will get a file named cert.tar​.

Step 3: Unzip cert file.

To import the file I opened Firefox's Preferences -> Privacy & Security -> Certificates -> View Certificates -> Authorities -> Import.

more options

cor-el said

See also:
  • Bug 1590217 - FF presents SSL Error: SEC_ERROR_INADEQUATE_KEY_USAGE

I am not technically knowledgeable to understand most of this bug report.

I want to securely access my router's web interface via HTTPS. To do so I need to export a certificate from the router and import it to Firefox. Is my inability to do this merely because of the bug in question?

more options
To import the file I opened Firefox's Preferences -> Privacy & Security -> Certificates -> View Certificates -> Authorities -> Import.

Try removing the certificate from the Authorities list -- it does not seem to be valid for signing certificates. Instead, try importing it to the Servers list in that same Certificate Manager dialog.

Does that work?

Note: the result would be similar to what happens if you do not import manually, but instead you go to the page and it says "Warning: Potential Security Risk Ahead" and you click the Advanced button and create an exception using the "Accept the Risk and Continue" button.

more options

For some reason I am having trouble quoting and reply to jscher2000. Here is my reply:

The instructions I followed were from the ASUS website, but for Windows 10 and Google Chrome. So I only followed:

Step 1: Go to Administration -> System tab.

            Authentication Method : Select HTTPS, and click Apply to save.

Step 2: Download certificate: Click Export button, then you will get a file named cert.tar​.

Step 3: Unzip cert file (cert.crt)

To import the certificate into Firefox, I open up Preferences -> Privacy & Security -> Certificates -> View Certificates -> Authorities -> Import.

more options

Hmm, where did the Import button go? I guess try adding an exception through the standard error page (the one you get without importing anything). Does that work?

more options

I completely removed Firefox and all configuration files. After reinstalling Firefox and without importing the certificate this is what happens:

Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT

There is no option to Add Exception on this page.

After importing the certificate:

Error code: MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY

Further details of the error show: A certificate with a basic constraints extension with cA:TRUE is being used as an end-entity certificate.

I am not sure how to "Re-generate the end-entity certificate without the basic constraints extension" as suggested on the Mozilla Wiki.

Finally, in the Certification Manager I added an exception in the Servers tab. But this is only a temporary exception and I am not able to click Permanently store this exception.

more options

Joe Buckner said

Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT There is no option to Add Exception on this page.

I can't test your device, but on the test page at https://self-signed.badssl.com/ , you usually can add an exception using this method:

click the Advanced button > click the Accept the Risk and Continue button

That creates a permanent exception by default. Perhaps there is some additional issue with your certificate that blocks that??

more options

That only creates a temporary exception for me. My guess is my operating system, Debian, makes some changes to the Firefox package.

more options

Joe Buckner said

That only creates a temporary exception for me. My guess is my operating system, Debian, makes some changes to the Firefox package.

You could take a look at this preference:

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button accepting the risk.

(2) In the search box in the page, type or paste certerr and pause while the list is filtered

(3) If the security.certerrors.permanentOverride preference has a value of false, double-click it to switch the value to true

more options

The security.certerrors.permanentOverride preference shows a value of true.

more options

You can try to set security.enterprise_roots.enabled = true on the about:config page.

You can open the about:config page via the location/address bar. You can accept the warning and click "I accept the risk!" to continue.

more options

cor-el said

You can try to set security.enterprise_roots.enabled = true on the about:config page. You can open the about:config page via the location/address bar. You can accept the warning and click "I accept the risk!" to continue.

Still produces the same error.

more options

jscher2000 said

Joe Buckner said

Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT There is no option to Add Exception on this page.

I can't test your device, but on the test page at https://self-signed.badssl.com/ , you usually can add an exception using this method:

click the Advanced button > click the Accept the Risk and Continue button

That creates a permanent exception by default. Perhaps there is some additional issue with your certificate that blocks that??

I found the issue with this solution. My preferences are set to permanent private browsing. With this preference it seems Firefox will only create a temporary exception.

So I set browsing preferences to default, created a permanent exception and then changed back to permanent private browsing. The exception remains permanent.

I am not technically proficient to know if this is a design bug or a security feature.

Final question. Is this solution to my problem (accessing my router's web interface without the warning message) safer than simply the default HTTP access given that Firefox does not accept the certificate?

more options

Yes, when you are in PB mode then you can only set a temporary exception and not a permanent exception. I remember that I had thought about posting this, but I had forgotten or otherwise had chosen not to mention this.

more options

Wubrane rozrisanje

Joe Buckner said

My preferences are set to permanent private browsing. With this preference it seems Firefox will only create a temporary exception. ... I am not technically proficient to know if this is a design bug or a security feature.

Someone was very thorough in figuring out the unexpected locations on disk that URLs you visited during recent sessions might be discovered. ;-)

Final question. Is this solution to my problem (accessing my router's web interface without the warning message) safer than simply the default HTTP access given that Firefox does not accept the certificate?

There are two aspects:

(1) Verifying that the server is the one it says it is and not an impostor. This part fails when the certificate chain cannot be verified.

(2) Encrypting your session. This part is still useful if, for example, you are entering a password or other sensitive credentials. Using HTTPS prevents someone sniffing on the network from reading that.