Firefox won't trust imported certificate
In order for our secure webfilter to filter traffic on SSL encrypted websites, we have to install a certificate that will allow for an intentional mitm attack. We have only had a problem having this certificate replace Google's recently. Do we need to take an added step to have this certificate truly become trusted?
所有回覆 (9)
I would like a response, please.
can you be more specific about what kind of error message / error code you are receiving?
I have attached a screenshot.
thanks, this screenshot doesn't reveal an error with a certificate but indicates that there are parts of the website which are not loaded through https (so called "mixed content"). you can inspect that by looking in the security tab of the firefox web console: https://developer.mozilla.org/en-US/docs/Security/MixedContent
you'd have to look into the workings of your MITMing solution on why it may be causing this...
This issue exists for several different MITM solutions, including other SWGs and antivirus software. The problem, I believe, lies with Firefox not accepting self-signed certificates as a trusted cert, regardless of whether or not you import it to Firefox's own trusted certificate store. This issue also seems to have arisen recently as I used to be able to use my solution at least 3 months ago with no issue.
as your screenshots shows, there are elements of google.com which are loaded through http (this has to be caused by the MITM software is out of the control of firefox) - if a self-signed cert wasn't trusted you would see a different, full page error looking something like: 
I understand.
I am aware that one can ignore these warnings, however I need a solution where I can do this over a managed network, namely in AD and JAMF/Casper where I can automatically do this for a large amount of users. I also wish that this option wasn't enabled by default as it breaks a lot of enterprise products.
alexander.diaz said
I understand. I am aware that one can ignore these warnings, however I need a solution where I can do this over a managed network, namely in AD and JAMF/Casper where I can automatically do this for a large amount of users. I also wish that this option wasn't enabled by default as it breaks a lot of enterprise products.
Any ideas on how I can manage this?
Open the "Add Security Exception" window by pasting this chrome URL in the Firefox location/address bar and check the certificate:
- chrome://pippki/content/exceptionDialog.xul
In the location field of this window type or paste the URL of the website.
- retrieve the certificate via the "Get certificate" button
- click the "View..." button to inspect the certificate in the Certificate Viewer
You can inspect details like the issuer and the certificate chain in the Details tab of the Certificate Viewer. Check who is the issuer of the certificate. If necessary then you can attach a screenshot that shows the certificate viewer.
Firefox needs a root certificate that has the proper trust bit(s) to be able to build a certificate chain.