Cannot add a self signed certificate in Firefox

I need to set up an IIS webserver that will be accessed by a small, finite number of users. I was considering using a self-signed certificate only, and manually installing it on the user's systems.

So I generated the certificate with IIS tools, installed it on the webserver, and exported it in a .cer file. Adding it the Trusted Authorities in windows settings works well with Internet Explorer : it removes the unsecure warning.

In firefox, I can't make it work. Enabling the security.enterprise_roots.enabled option doesn't help. In Firefox Certificate settings, I can't import it to the Authorities panel, I get an error message :

This is not a certificate authority certificate, so it can't be imported into the certificate authority list

What can I do? I don't want to add an exception in Firefox, as it permanently disables any certificate checking on the URL, which means any man in the middle attack becomes straightforward. I want the user being blocked from accessing the website if the certificate changes on the server.


In order to be added to the certificate authority list in Firefox a certificate must have X509v3 extension CA:TRUE, e.g.

    X509v3 extensions:
        X509v3 Key Usage: critical
            Certificate Sign, CRL Sign
        X509v3 Basic Constraints: critical
            CA:TRUE

This would be the case if you had your own private CA certificate used for signing your server certificates: you could import it and use it for signing all your private server certificates, making them trusted in the browser at once.

With self-signed certificates the simplest solution is to add an exception, instead. Shortcut: chrome://pippki/content/exceptionDialog.xul. This makes an exception for THIS certificate alone. You'll still get a warning for untrusted certificate if the certificate changes.


It has peen possible to allow Firefox to trust CAs from Windows since Firefox 49 (Bug 1265113). The configuration parameter is security.enterprise_roots.enabled. It won't be set to true by default (Bug 1314010), but having this as a configuration preference makes it possible to distribute it via Group Policy, which makes it a perfect extension for CA certificates installed via GPO.

Currently by default general.config.filename seems already set to mozilla.cfg. You just need to add this line to file (replace it using Group Policy) %ProgramFiles%\Mozilla Firefox\Mozilla.cfg:

pref("security.enterprise_roots.enabled", true);

To lock the setting so that users can't modify it using about:config, use lockPref(), instead.