Certificate Depot

Guides

Home › Guides › Trust in Firefox

How to Trust a Self-Signed Certificate in Firefox

Firefox ignores the OS trust store by default. Here's how to add your cert to Firefox's own store.

Firefox is the only major browser that maintains its own certificate store separate from the operating system. Installing a cert in Keychain (macOS), Certificate Manager (Windows), or /etc/ssl/certs/ (Linux) won't affect Firefox.

Option 1: Enable OS trust store

Since Firefox 49, you can make Firefox honor the OS trust store via a preference:

  1. Open about:config in Firefox.
  2. Accept the warning.
  3. Search for security.enterprise_roots.enabled.
  4. Set it to true.
  5. Restart Firefox.

Firefox will now trust certificates installed in the OS trust store. This is the easiest option if you've already installed the cert OS-wide.

Option 2: Import directly into Firefox

Use this if you only want Firefox to trust the cert (not the whole OS), or if the enterprise_roots option isn't working.

  1. Open Firefox Settings.
  2. Search for "certificates".
  3. Click View Certificates….
  4. Go to the Authorities tab.
  5. Click Import…, select your .pem or .crt file.
  6. Check Trust this CA to identify websites, click OK.
  7. Restart Firefox (sometimes not required, but safer).

Option 3: Import via the warning page

When Firefox shows "Warning: Potential Security Risk Ahead" for your self-signed site:

  1. Click Advanced….
  2. Click Accept the Risk and Continue.

This adds an exception for that specific site, but only until you clear browsing data or the cert changes. For persistent trust, use Options 1 or 2.

Command line: certutil (for scripting)

Firefox's cert DB is an NSS database, editable with certutil from libnss3-tools (Linux) or the Firefox installation's bin/ directory (macOS/Windows).

Find the Firefox profile:

# Linux/macOS
ls ~/.mozilla/firefox/  # Linux
ls ~/Library/Application\ Support/Firefox/Profiles/  # macOS
# Pick the default profile, e.g. abcd1234.default-release

Add the cert:

certutil -A -n "My Cert" -t "C,," \
  -i certificate.pem \
  -d ~/.mozilla/firefox/abcd1234.default-release

The -t "C,," flag marks it as a trusted CA for SSL.

Verify it worked

Visit your HTTPS site in Firefox. The padlock should be solid (not grayed out or with a warning). Click the padlock and "Connection secure" — it should show your certificate's details.

Troubleshooting

Certificate imports but site still shows warning

You imported it as a server cert instead of a CA. Go back to View Certificates › Authorities (not Your Certificates or Servers) and re-import with the "Trust this CA" checkbox.

enterprise_roots doesn't seem to do anything

It only works for certificates marked as "Trusted Root CA" in the OS. If you installed your cert as a regular trusted cert (not a root), Firefox won't pick it up.

Cert is trusted but Firefox still complains about SANs

Trusting a cert doesn't bypass the SAN check. The certificate must include a Subject Alternative Name matching the hostname you're visiting. Check with our PEM decoder.

Need a self-signed certificate? Use our free generator — browser-compatible SANs, RSA or ECDSA, ZIP or PFX. No signup, no ads, keys never stored.

Further Reading