Skip to content

Firefox Dev Cert

Trusting a Self-Signed Cert in Firefox (macOS)

Problem

A self-signed cert for localhost was not being accepted by Firefox despite adding a server exception and importing it into the Authorities tab.

Root Cause

The cert was imported into Firefox's certificate DB but with no trust attributes set (,,). The Firefox UI checkbox for "This certificate can identify websites" did not actually save the trust settings properly.

Diagnostic Steps

  1. Confirmed the cert SANs were correct (DNS:localhost, IP:127.0.0.1, IP:::1)
  2. Confirmed the server was serving the correct cert by comparing SHA1 fingerprints via openssl s_client
  3. Confirmed CA:TRUE was set in Basic Constraints
  4. Checked the Firefox cert DB with certutil -L and found trust attributes were empty (,,)

Fix

Set trust attributes directly via certutil:

certutil -M -n "localhost" -t "CT,," \
  -d "$HOME/Library/Application Support/Firefox/Profiles/ytbu39f4.default-release"

Then clear Firefox's startup cache (about:support → Clear Startup Cache) and restart.

Key Notes

  • CT,, = trusted Certificate Authority for SSL
  • The Firefox UI import dialog may not reliably save trust settings — use certutil -M to set them explicitly
  • Always verify trust attributes with certutil -L after importing
  • A cache clear is sometimes required after cert trust changes