How do I trust a self-signed issuer certificate in version 54.0?
Since years, I am importing my self-signed issuer certificate over “Authorities” and my intranet-application is running very well as https-application with a green padlock.
Since the update to version 54.0 I get the error code: SEC_ERROR_UNKNOWN_ISSUER.
To fix this issue I have to add the URL as security exception rule and get the yellow padlock, but in this way I loose a lot of trust by my customers.
Is that a new bug ?
If no, how can I get back the green padlock with self-signed issuer certificates?
Vsi odgovori (5)
Sorry for the late reply! The mid of June to end of June was a very busy time for us and your question slipped by.
Could you please share the url of your website? Maybe someone here with more knowledge than me can inspect your cert & find out why exactly it's throwing that error. I have a few people I can ask to review it so we can help you get this solved as soon as possible.
Spremenil NoahSUMO
A self-signed certificate can never be trusted in the same way as a certificate that can be chained to a built-in trusted root certificate. If you use such a self-signed certificate on an internet web page server than visitors will always have the problem to add an exception. You may have to remove an existing exception to be able to add the certificate another time.
@Noah_SUMO
The URL is: https://kmu-office.spdns.de/TDL
The URL call the login-site of a php-web-application
It is not a web-site for public using.
@cor-el I will be agree with you in the case of public web-sites for public use.
But in my case I am using the self-signed certificates only for an intranet-application to get a secure line for registered users (customers).
So, for my case of using the handling of FireFox up to version 53.xx was optimal (Public users will be got the error code "SEC_ERROR_UNKNOWN_ISSUER" and my registered customers got a secured line with a green padlock, because they had imported my self-signed certificate over “Authorities”, before.
And I do not have any idea / arguments why this way of using self-signed certificate should not be possible in the future.
What is the problem / risk for the other users of the FireFox-community?
From my side it will be more logical that FireFox block the possibility to add an exception for self-signed certificates and will only trust a self-signed certificate if it is imported over the “Authorities”-property, because that will be a intentional doing of the individual FireFox user in trust of this single self-signed certificate.
My opinion is, on the first level it is important that a FireFox user will/can be trust a certificate and only on the second level the whole FireFox-community.
Spremenil Hamburgo
@Noah_SUMO Hopefully, you can help and fix that bug or give me a other solution with the same effect.
Many Thanks
Spremenil Hamburgo