Den här webbplatsen har begränsad funktionalitet medan vi utför underhåll för att förbättra din upplevelse. Om en artikel inte löser ditt problem och du vill ställa en fråga har vi vår gemenskap som väntar på att hjälpa dig på @FirefoxSupport på Twitter, /r/firefox på Reddit.

Sök i support

Akta dig för supportbedrägerier: Vi kommer aldrig att be dig att ringa eller skicka ett sms till ett telefonnummer eller dela personlig information. Rapportera misstänkt aktivitet med alternativet "Rapportera missbruk".

Läs mer

How to untrust specific certificate in firefox?

  • 5 svar
  • 0 har detta problem
  • 4 visningar
  • Senaste svar av asmreg

more options

For example: 1. Certificate "CA.A" is trusted by firefox by default. 2. Certificate "CA.B" is issued by certificate "CA.A", but not stored in firefox by default. 3. Website "WWW.C" use a certificate "CA.C" which is issued by certificate "CA.B" 4. After I visit "WWW.C", firefox will report it is a secure connection and will add "CA.B" to "Certificate Manager".

Now I want to untrust "CA.B" and all certificate issued by it.

In firefox old release(like firefox 45), there is an "Import" option in "Certificate Manager"->"Servers", I can import "CA.B" to untrust the certificate. In firefox new release(like firefox 112), there is no "Import" option in "Certificate Manager"->"Servers", so I can not untrust "CA.B". I have also try to untrust the certificate in "Certificate Manager"->"Authorities"-"Edit Trust", but uncheck the checkbox can't untrust the certificate and firefox still report it is a secure connection when I visit "WWW.C".

For example: 1. Certificate "CA.A" is trusted by firefox by default. 2. Certificate "CA.B" is issued by certificate "CA.A", but not stored in firefox by default. 3. Website "WWW.C" use a certificate "CA.C" which is issued by certificate "CA.B" 4. After I visit "WWW.C", firefox will report it is a secure connection and will add "CA.B" to "Certificate Manager". Now I want to untrust "CA.B" and all certificate issued by it. In firefox old release(like firefox 45), there is an "Import" option in "Certificate Manager"->"Servers", I can import "CA.B" to untrust the certificate. In firefox new release(like firefox 112), there is no "Import" option in "Certificate Manager"->"Servers", so I can not untrust "CA.B". I have also try to untrust the certificate in "Certificate Manager"->"Authorities"-"Edit Trust", but uncheck the checkbox can't untrust the certificate and firefox still report it is a secure connection when I visit "WWW.C".
Bifogade skärmdumpar

Alla svar (5)

more options
more options

You can (should) only remove/edit trust bits for a root certificate, either a built-in or one you import under "Certificate Manager"->"Authorities" and exceptions also only work for root certificates. If you have a cached intermediate certificate showing under "Authorities" then you should be able to remove it although this works differently in recent releases where Firefox can download all intermediate certificates for all built-in root certificates to prevent issues where the server isn't sending them.

more options

cor-el said

You can (should) only remove/edit trust bits for a root certificate, either a built-in or one you import under "Certificate Manager"->"Authorities" and exceptions also only work for root certificates. If you have a cached intermediate certificate showing under "Authorities" then you should be able to remove it although this works differently in recent releases where Firefox can download all intermediate certificates for all built-in root certificates to prevent issues where the server isn't sending them.

Does "exceptions also only work for root certificates" means that I can't untrust "CA.B" when I trust "CA.A"?

Ändrad av asmreg

more options

Intermediate certificates do not have trust bits set (and never should) as only root certificates can be trusted. The root certificate is the last in the certificate chain that starts with the certificate of the website and ends with the trusted root certificate with possible intermediate certificates in between. If the server send all intermediate certificates then there is no way to block them apart from removing trust bits on the root certificate to break the chain and like I wrote: Firefox 75+ can retrieve intermediate certificates without depending on what the website sends.

more options

cor-el said

Intermediate certificates do not have trust bits set (and never should) as only root certificates can be trusted. The root certificate is the last in the certificate chain that starts with the certificate of the website and ends with the trusted root certificate with possible intermediate certificates in between. If the server send all intermediate certificates then there is no way to block them apart from removing trust bits on the root certificate to break the chain and like I wrote: Firefox 75+ can retrieve intermediate certificates without depending on what the website sends.

Yes, I have tried to import "CA.B" into "Servers" tab, and it does not work as I excepted. But in Windows 7, for example, I can import "Microsoft Azure TLS Issuing CA 06" to "Untrusted Certificates" in certmgr.msc and leave the root certificate "DigiCert Global Root G2" trusted, then Internet Explorer 8 will block "www.microsoft.com". It works as I excepted. So is there any way to make firefox to achieve same function?