[openssl-users] Self signed cert issue

Wouter Verhelst wouter.verhelst at fedict.be
Fri Sep 15 13:32:17 UTC 2017

On 15-09-17 15:24, Richard Olsen wrote:
> "host.local.com <http://host.local.com> uses and invalid security
> certificate. The certificate is not trusted because the issuer
> certificate is unknown. The server might not be sending the appropriate
> intermediate certficates. An addistional root certificate may need to be
> imported>

This is the normal message you get from firefox when your certificate is
self-signed. It appears because firefox doesn't know the certificate
issuer (obviously), and is important so as to avoid an MITM attack.

You have three options:

- (preferred) use something like letsencrypt to get a public-trusted
certificate (although obviously that won't work if your site is not on
the public Internet)
- Create your own private CA that you then import as trusted into the
browsers on your network (rather a lot of work, but probably the better
option if this isn't just a home experiment)
- Tell Firefox to ignore the fact that it's a self-signed certificate by
clicking on the "Add exception..." button. In the dialog that appears,
make sure that the "Permanently store this exception" option is checked,
and hit "Confirm security exception". You will need to do this on every
machine that wants to connect to your server, for every certificate that
you create in this way, which may be a lot of work; if you don't want
that, see above.

Wouter Verhelst

More information about the openssl-users mailing list