Https issues with browser (self signed cert not working)

Hi all, can anyone tell me what im doing wrong? Aim is to get browser (Firefox) to trust a certificate generated using the guide at

so i dont get the insecure warning when i log on to LuCI

all went well, with mycert.crt and mycert.key generated ok. But trying to import the crt to firefox (or Chrome) fails. I use preferences > privacy & security > certificates > view certificates and then navigate to the crt on my laptop. Hitting import generates the error "this personal certificate cannot be installed because you do not own the corresponding private key which was created when the certificate was requested."
I tried copying the key from my router, but still get this error when I try to import it.

any ideas??

What happens when you add by browsing to the page?

ive rebooted the laptop and still get the insecure warning from firefox...

It imho makes more sense to add OpenWrt's self-generated ssl cert to the few devices regularly used for administration tasks (as in accepting the certificate once, and yes, that works in firefox), than to generate a local CA and certs as described in that guide. The local CA is a) more work to create and deploy and b) has man-in-the-middle potential and might become a serious security risk, if not treated properly.


ooh...I didnt know I could do that, is there any instructions anywhere?

When encountering a self-signed certificate, firefox will offer you to create an override for it (to remember it), afterwards it won't bother you about this device/ cert combination anymore (aside from displaying a yellow warning label over the ssl-lock in the URL bar).

Hi there
my version of firefox (77.0.i) for Linux, doesn't offer to store the exception. It can just go back (recommended) or accept the risk and continue.
FF doesn't store the 'accept the risk' and theer is no button to create a permanent exception

$ LANG= dpkg -l firefox | cat -
Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend|/ Err?=(none)/Reinst-required (Status,Err:uppercase=bad)
||/ Name           Version      Architecture Description
ii  firefox        77.0-1       amd64        Mozilla Firefox web browser

there is.

this is what I see when i go to LuCi - with no option to make a permanent exception.

What happens when you click on "Accept the Risk and Continue"?

1 Like

it takes me to the LuCi login page

1 Like

That sounded like your solution...but...odd they don't have the option available like in older versions...

Well, you can also hit "Accept the Risk and Continue;" but if you insist on the permanent exception:

My way: generate CA, then certs. Install cert on the device, import CA in the browser.

1 Like

thought that had solved it, the server tab now logs the self signed cert as permanent, but on rebooting and log on to Luci I still get the browser warning!
Maybe this is something Ill just have to live with...