I have a local domain (markfisher.local) for which I have made a self-signed certificate that I have added to the Certificates in Keychain Access (I am using Mac). This results in the certificate being trusted in Chrome and Safari. If I edit the certificates Trust in KeyChain Access to "Never Trust" then Chrome and Safari no longer accept it, then if I change it back to "Always Trust" then I can access markfisher.local OK again.
But when accessing the site in Firefox I get the following:
markfisher.local uses an invalid security certificate.
The certificate does not come from a trusted source.
Error code: MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY
I have set security.enterprise_roots.enabled to true as suggested in this answer. Also, going to Preferences > Privacy & Security > View Certificates, I can see my certificate is in the Authorities tab and I have checked the "This certificate can identify websites" in the "Edit Trust" dialog. This was not checked originally
However Firefox refuses to accept the certificate. How can I fix this?
See https://bugzilla.mozilla.org/show_bug.cgi?id=1034124 and specifically this answer:
Looks like that certificate has a basicConstraints extension with the value cA: TRUE. We stopped allowing CA certificates to act as end-entity certificates. That certificate should be regenerated without the basicConstraints extension.
This is also explained at https://wiki.mozilla.org/SecurityEngineering/x509Certs
Error Code: MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY
What It Means: A certificate with a basic constraints extension with cA:TRUE is being used as an end-entity certificate
What Can I Do: Re-generate the end-entity certificate without the basic constraints extension