sslfirefoxcertificatekeychaintrust

Why is Firefox not trusting my self-signed certificate?


I have a local domain (markfisher.local) for which I have made a self-signed certificate that I have added to the Certificates in Keychain Access (I am using Mac). This results in the certificate being trusted in Chrome and Safari. If I edit the certificates Trust in KeyChain Access to "Never Trust" then Chrome and Safari no longer accept it, then if I change it back to "Always Trust" then I can access markfisher.local OK again.

But when accessing the site in Firefox I get the following:

markfisher.local uses an invalid security certificate.
The certificate does not come from a trusted source.
Error code: MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY

I have set security.enterprise_roots.enabled to true as suggested in this answer. Also, going to Preferences > Privacy & Security > View Certificates, I can see my certificate is in the Authorities tab and I have checked the "This certificate can identify websites" in the "Edit Trust" dialog. This was not checked originally

However Firefox refuses to accept the certificate. How can I fix this?


Solution

  • See https://bugzilla.mozilla.org/show_bug.cgi?id=1034124 and specifically this answer:

    Looks like that certificate has a basicConstraints extension with the value cA: TRUE. We stopped allowing CA certificates to act as end-entity certificates. That certificate should be regenerated without the basicConstraints extension.

    This is also explained at https://wiki.mozilla.org/SecurityEngineering/x509Certs

    Error Code: MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY

    What It Means: A certificate with a basic constraints extension with cA:TRUE is being used as an end-entity certificate

    What Can I Do: Re-generate the end-entity certificate without the basic constraints extension