As per here Few days ago (after an update) FF simply refused to accept my self-signed certificate anymore, Firefox requires SAN (Subject Alternative Names) present:
It must be due to removed "subject common name" fallback support from certificate validation. This fallback mode was previously enabled only for manually installed certificates. The CA Browser Forum Baseline Requirements have required the presence of the "subjectAltName" extension since 2012, and use of the subject common name was deprecated in RFC 2818. Firefox from 101.0 onward no longer use certificate CN (Common Name) for matching domain name to certificate and have migrated to only using SAN (Subject Alternate Name) so if you self sign for internal devices you’ll need to regenerate.
As per here Know about SAN Certificate and How to Create With OpenSSL, follow the below steps to create, generate and verify the CSR with SAN:
- Create a
san.cnffile on your local environment
"<---" - fix defined here
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no # <--- This is required to fix OpenSSL output bug
[ req_distinguished_name ]
countryName = CA
stateOrProvinceName = ON
localityName = Toronto
organizationName = Acme
commonName = example.com
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = example.com
DNS.2 = www.example.com
- Generate the CSR referencing the
san.cnfconfig file:
openssl req -out sslcert.csr -newkey rsa:2048 -nodes -keyout server-key.pem -config san.cnf
- Verify the SAN('s) present within the CSR:
openssl req -noout -text -in sslcert.csr | grep DNS
As per here OpenSSLDocs -> Bugs
Extensions in certificates are not transferred to certificate requests and vice versa.
As per here How to create a self-signed SSL Certificate with SubjectAltName(SAN)
- Create config file for SAN, example:
Quick note, if you leave basicConstraints = CA:TRUE, Firefox will think your cert is a CA and deny your request.
Omitting that, will fix the issue you're getting the MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY issue. Worth noting that as far as I know, Firefox will deny all self signed certs, and you can't get around it with security exceptions.
touch v3.ext
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
subjectAltName = DNS:example.meme, DNS:www.example.meme
issuerAltName = issuer:copy
- Generate the
x.509certificate using the-extfile v3.extflag to include SAN('s):
openssl x509 -req -days 365000 -set_serial 04 \
-in sslcert.csr \
-out server-cert.pem \
-CA ca-cert.pem \
-CAkey ca-key.pem \
-extfile v3.ext
It's unknown whether both the CSR and SSL certificate require generating with their respective san.cnf and v3.ext config files in tandem, but recommended for continuity at least:
How to verify CSR for SAN?
openssl x509 -text -noout -in server-cert.pem | grep -A 1 "Subject Alternative Name"
Other recommended reads: