Some Background

In early 2014, the Mozilla foundation released a new library for certificate verification called mozilla::pkix. This library was built to be more robust and maintainable than its predecessors, using techniques such as building multiple trust chains to be used in the verification process. With this new library came some changes to the enforcement of some requirements in Mozilla's CA Certificate Policy. Where the most of users may not necessarily notice any differences, some subset of users have definitely been affected. Most specifically, using self-signed certificates can lead to failed verification of the certificate chain. In such instances, the entire connection itself will be refused, and you will be prompted with the following error:

An error occurred during a connection to

Issuer certificate is invalid.

(Error code: sec_error_ca_cert_invalid)

It is still currently possible to get around this, however, by disabling support for the new mozilla::pkix library. Be aware, however, that doing so may leave you at slightly higher risk to malicious connections being uncaught by verification. Use this method at your own risk.

Disabling mozilla::pix

  • In your Firefox browser, type about:config into the address bar, and hit enter.
  • Search for security.use_mozillapkix_verification and set it to true (you can double click on it to do so)

Now you should be able to reload the page you were trying to connect to and receive your familiar prompt about the unsafe connection. Simply accept the exception to continue on your way.