Skip to content
Pricing RU Sign In
RU

MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT

By · Updated
Key idea:

The certificate is signed by itself, not by a trusted CA chain. Firefox cannot verify authenticity and blocks the page. For production: get a real cert (Let's Encrypt is free, certbot takes 5 minutes). For dev/staging: use mkcert (creates a local CA + system-trusted certs) or add a per-host exception in Firefox.

Below: details, example, related terms, FAQ.

Free online tool — SSL certificate checker: instant results, no signup.

Try it now — free →

Details

  • Self-signed = subject == issuer (same CN). openssl x509 -noout -issuer -subject will show
  • Production: Let's Encrypt via certbot — automated 90-day cert + auto-renew. Free
  • Dev: mkcert — installs a local root CA + generates certs trusted on the machine
  • Exception in Firefox: "Advanced → Accept the Risk and Continue" (only if you trust the host)
  • Internal infrastructure (corp): use an internal CA + GPO/MDM distribution of the root cert

Example

# 1. Production fix — Let's Encrypt (Ubuntu, nginx)
sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d example.com -d www.example.com
# Auto-renew is already in /etc/cron.d/certbot

# 2. Dev fix — mkcert (macOS / Linux / Windows)
brew install mkcert  # or choco install mkcert
mkcert -install      # installs the local CA in the system trust store
mkcert example.local localhost 127.0.0.1
# Outputs: example.local+2.pem (cert) + example.local+2-key.pem
# nginx: ssl_certificate /path/example.local+2.pem; ssl_certificate_key ...

# 3. Detect cert type
openssl x509 -in cert.pem -noout -issuer -subject
# If issuer == subject — self-signed

Related

TL;DR: Fixing MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT in Firefox

To resolve the MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT error in Firefox, you need to ensure that your website's SSL certificate is trusted. This can be achieved by either obtaining a valid SSL certificate from a trusted Certificate Authority (CA) or manually adding the self-signed certificate to Firefox's certificate store. For detailed steps, see the sections below.

Understanding the MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT Error

The MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT error occurs when Firefox encounters a self-signed SSL certificate that it cannot verify against a trusted Certificate Authority (CA). This indicates that the certificate is not trusted by default, which is a common scenario in development environments or when using self-signed certificates for testing purposes.

When a browser connects to a website, it checks the SSL certificate presented by the server. If the certificate is self-signed, the browser will not find a chain of trust leading to a recognized CA, triggering the MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT error. This is a security measure to prevent man-in-the-middle attacks and ensure secure communications.

To resolve this issue, there are two primary approaches:

  • Obtain a Valid SSL Certificate: The most straightforward solution is to acquire an SSL certificate from a trusted CA, such as Let's Encrypt, DigiCert, or Comodo. This will ensure that your certificate is recognized by all major browsers.
  • Add the Self-Signed Certificate to Firefox: If you must use a self-signed certificate (e.g., for development purposes), you can add it to Firefox's trusted certificates manually. This allows Firefox to accept the self-signed certificate without throwing an error.

How to Manually Add a Self-Signed Certificate to Firefox

If you decide to use a self-signed certificate, you can add it to Firefox's certificate store to eliminate the MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT error. Follow these steps:

  1. Export the Self-Signed Certificate: If you have access to the server, you can export the self-signed certificate. The command below can be used to export the certificate in PEM format:
openssl x509 -in your_certificate.crt -out your_certificate.pem -outform PEM
  1. Open Firefox Settings: Launch Firefox and navigate to the menu by clicking the three horizontal lines in the upper right corner. Select Settings.
  2. Access Certificates: In the Settings tab, search for Certificates in the search bar or scroll down to Privacy & Security. Click on View Certificates.
  3. Import the Certificate: In the Certificate Manager window, go to the Authorities tab and click Import. Select the PEM file you exported earlier and click Open.
  4. Trust the Certificate: A dialog box will appear asking how you want to trust this certificate. Check the box for Trust this CA to identify websites and click OK.
  5. Restart Firefox: Close the Certificate Manager and restart Firefox to apply the changes.

After completing these steps, navigate back to the website that previously gave you the error. The MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT should no longer appear, allowing you to establish a secure connection without issues.

Related guides

Real-world recipes

All cookbook recipes →

CertificateExpiry, issuer, domains (SAN)
ChainIntermediate and root CA validation
TLS ProtocolTLS version and cipher suite
VulnerabilitiesHeartbleed, POODLE, weak ciphers

Why teams trust us

TLS 1.3
supported
Full
CA chain check
<2s
result
30/14/7
days-to-expiry alerts

How it works

1

Enter domain

2

TLS chain verified

3

Expiry date & vulnerabilities

What Does the SSL Check Cover?

SSL/TLS is the encryption protocol that protects data between the browser and server. Our tool analyzes the certificate, chain of trust, TLS version, and knownvulnerabilities.

Certificate Details

Issuer, validity period, signature algorithm, covered domains (SAN), and validation type (DV/OV/EV).

Chain of Trust

Full chain verification: from leaf certificate through intermediates to root CA.

TLS Analysis

Protocol version (TLS 1.2/1.3), cipher suites, Perfect Forward Secrecy (PFS) support.

Expiry Alerts

Set up a monitor — get Telegram and email alerts 30/14/7 days before expiration.

DV vs OV vs EV Certificates

DV (Domain Validation)
  • Confirms domain ownership only
  • Issued in minutes automatically
  • Free via Let's Encrypt
  • Suitable for most websites
  • Most common certificate type
OV / EV
  • Organization (OV) or Extended Validation (EV)
  • Issued in 1-5 business days
  • Costs $50 to $500/year
  • For finance, e-commerce, government sites
  • Increases user trust

Who uses this

DevOps

SSL certificate monitoring

Security

TLS config audit

SEO

HTTPS as ranking factor

E-commerce

customer trust

Common Mistakes

Expired certificateBrowsers block sites with expired SSL. Set up auto-renewal or monitoring.
Incomplete certificate chainWithout intermediate CA, some browsers and bots cannot verify the certificate.
Mixed content on HTTPS siteHTTP resources on an HTTPS page — the browser lock icon disappears, reducing trust.
Using TLS 1.0/1.1Legacy TLS versions have known vulnerabilities. Use TLS 1.2+ or 1.3.
Domain mismatch in certificateThe certificate must cover all site domains, including www and subdomains.

Best Practices

Set up auto-renewalLet's Encrypt + certbot with cron — certificate renews automatically every 60-90 days.
Enable HSTSStrict-Transport-Security header forces browsers to always use HTTPS.
Use TLS 1.3TLS 1.3 is faster (1-RTT handshake) and safer — legacy ciphers removed.
Monitor expiration datesCreate a monitor on Enterno.io — get notified well before expiration.
Verify chain after renewalAfter certificate renewal, confirm that intermediate certificates are installed.

Get more with a free account

SSL certificate monitoring, check history and alerts 30 days before expiry.

Sign up free

Related tools

DNS LookupSecurity CheckPageSpeedMixed Content

Learn more

How-to

Errors

Frequently Asked Questions

Can I leave self-signed in production?

No — every visitor sees a warning, search engines flag the site as unsafe, forms fail (mixed content). Let's Encrypt is free and automated.

mkcert vs openssl self-sign?

mkcert puts a local CA in the OS trust store — browsers trust automatically. openssl self-sign — you have to manually add an exception in every browser on every machine.

What about HSTS preload + self-signed?

If the domain is in the HSTS preload list — Firefox blocks hard (even the exception button is gone). Only preload after you have a real cert.

Try the live tool that powered this guide

Free plan — 20 monitors, 5-minute checks, no card required. Upgrade for 1-minute interval and multi-region monitoring.

Start freeSee pricing

Start monitoring for free

Sign up and get access to API, monitoring and notifications

Create Account API Documentation