Firefox 54 Stopped Trusting Self-Signed Certs

Question

With the recent upgrade of Firefox 54, my self-signed localhost SSL certificate stopped being trusted.

I\'ve been using a Firefox AutoConfigure script to in

Answer 1

As @tresf and @Zombaya have stated, Firefox requires two certificates:

• An authority certificate
• A development certificate

The authority certificate is used to sign the development certificate. The development certificate is bound to an HTTP port. The web server listens to that port for requests.

Windows Development Environment

Other answers explain what to do in Java and Unix environments. Here's what I do in my Windows development environment. This creates certificates trusted by Firefox, Chrome, and Internet Explorer:

Override DNS with an entry in C:\Windows\System32\drivers\etc\hosts file.

127.0.0.1  dev.brainstorm.com

Create the authority and development certificates and store them in the local machine certificate store using PowerShell. Substitute "Brainstorm" with your company name and DNS entry. Run PowerShell as an administrator.

# Create authority certificate.
# TextExtension adds the Server Authentication enhanced key usage and the CA basic contraint.
$authorityCert = New-SelfSignedCertificate `
    -Subject "CN=Brainstorm CA,OU=IT,O=Brainstorm Certificate Authority,C=US" `
    -KeyAlgorithm RSA `
    -KeyLength 4096 `
    -KeyUsage CertSign, CRLSign, DigitalSignature, KeyEncipherment, DataEncipherment `
    -KeyExportPolicy Exportable `
    -NotBefore (Get-Date) `
    -NotAfter (Get-Date).AddYears(10) `
    -HashAlgorithm SHA256 `
    -CertStoreLocation "Cert:\LocalMachine\My" `
    -FriendlyName "Brainstorm CA" `
    -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1", "2.5.29.19={critical}{text}ca=1")


# Create development certificate.
# Sign it with authority certificate.
# TextExtension adds the Server Authentication enhanced key usage.
$devCert = New-SelfSignedCertificate `
    -Subject "CN=Brainstorm,OU=Application Development,O=Brainstorm,C=US" `
    -DnsName dev.brainstorm.com `
    -KeyAlgorithm RSA `
    -KeyLength 4096 `
    -KeyUsage DigitalSignature, KeyEncipherment, DataEncipherment `
    -KeyExportPolicy Exportable `
    -NotBefore (Get-Date) `
    -NotAfter (Get-Date).AddYears(10) `
    -HashAlgorithm SHA256 `
    -CertStoreLocation "Cert:\LocalMachine\My" `
    -FriendlyName "Brainstorm" `
    -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1") `
    -Signer $authorityCert

# Export authority certificate to file.
$directory = "C:\Users\Erik\Documents\Temp\Certificates\"
if(!(test-path $directory))
{
New-Item -ItemType Directory -Force -Path $directory
}
$authorityCertPath = 'Cert:\LocalMachine\My\' + ($authorityCert.ThumbPrint)
$authorityCertFilename = $directory + "Authority.cer"
Export-Certificate -Cert $authorityCertPath -FilePath $authorityCertFilename

# Import authority certificate from file to Trusted Root store.
Import-Certificate -FilePath $authorityCertFilename -CertStoreLocation "Cert:\LocalMachine\Root"

# Delete authority certificate file.
Remove-Item -Path $authorityCertFilename

Grant developer permission to host a website and service at specific URLs and ports (via IIS Express). Use standard SSL port for website, use another port for service. Why? IIS Express cannot simultaneously host two applications on same port differentiated by host name. They must use different ports.

netsh http add urlacl url=https://dev.brainstorm.com:443/ user="Erik"
netsh http add urlacl url=https://dev.brainstorm.com:44300/ user="Erik"

If you need to remove developer permission to host website at URL:

netsh http delete urlacl url=https://dev.brainstorm.com:443/
netsh http delete urlacl url=https://dev.brainstorm.com:44300/

List the certificates in Local Computer store.

Get-ChildItem -path "Cert:\LocalMachine\My"

Copy the thumbprint of the development certificate (not the authority certificate).

List the certificates bound to HTTP ports. (IIS Express configures ports 44300 - 44399 with its own SSL certificate.)

netsh http show sslcert

Copy the Application ID (it's the same for all IIS Express ports 44300 - 44399). Replace the website and service ports already bound by IIS Express with our development certificate (the certhash is the thumbprint from above). You may need to run netsh first, then enter http command, then enter add sslcert... command.

netsh http add sslcert hostnameport=dev.brainstorm.com:443 certhash=FE035397A4C44AB591A1D9D4DC0B44074D0F95BA appid={214124cd-d05b-4309-9af9-9caa44b2b74a} certstore=my
netsh http add sslcert hostnameport=dev.brainstorm.com:44300 certhash=FE035397A4C44AB591A1D9D4DC0B44074D0F95BA appid={214124cd-d05b-4309-9af9-9caa44b2b74a} certstore=my

If you need to unbind certificates from HTTP ports:

netsh http delete sslcert hostnameport=dev.brainstorm.com:443
netsh http delete sslcert hostnameport=dev.brainstorm.com:44300

In Visual Studio, configure the service's launchSettings.json file (in Properties folder):

{
  "iisSettings": {
    "windowsAuthentication": false,
    "anonymousAuthentication": true,
    "iisExpress": {
      "applicationUrl": "https://dev.brainstorm.com:44300/",
      "sslPort": 44300
    }
  },
  "profiles": {
    "Default": {
      "commandName": "IISExpress",
      "use64Bit": true
    }
  }
}

In Visual Studio, configure the website's launchSettings.json file (in Properties folder):

{
  "iisSettings": {
    "windowsAuthentication": false,
    "anonymousAuthentication": true,
    "iisExpress": {
      "applicationUrl": "https://dev.brainstorm.com/",
      "sslPort": 443
    }
  },
  "profiles": {
    "Default": {
      "commandName": "IISExpress",
      "launchBrowser": true,
      "use64Bit": true
    }
  }
}

Configure IIS Express (in hidden .vs/config folder):

In Firefox, navigate to about:config and set the security.enterprise_roots.enabled parameter to true.