How to stop Firefox from prompting for the client certificate

I am using a client certificate to authenticate against some Apache HTTPS website.

By default, Firefox 3 has a very annoying setting : it will prompt you with a box to select your certificate, every time the browser access to a file.

I quickly realized that there is not setting in the preference tab to change this behavior. That sucks, really !

Fortunately, it is possible to tweak it within the about:config page. Set the security.default_personal_cert entry with Select Automatically instead of Ask Every Time.

But what a dumb behavior !

It is like the alert page that Firefox displays every time a self-signed certificate is used. I am now wondering if the developers really understood well what a certificate is !

Setting Firefox properly for Client certificate

Setting Firefox properly for Client certificate

6 thoughts on “How to stop Firefox from prompting for the client certificate

  1. BH

    I agree that it is super annoying. With that said, the reason they went out of their way to make it annoying is so you don’t enter personal information into a site with a fake SSL certificate.

    In other words, if someone builds a fake paypal web site that looks identical to the original, and redirect you there to enter your password (which they can capture) your only way to detect this sort of attacak is to notice that the SSL certificate for the fake site is INVALID.

    So by having to click through a ton of boxes, the intention was that you would have to stop and think if you really trust the site for which you are obtaining the “fake” certificate for.

    Real certificates cost money, so fake ones are popular for valid sites, as well as invalid/malicious sites.


  2. Anonymous

    I have the opposite problem: I have two different certificates for the same web sites and my browser doesn’t allow me to choose which cert to use. I already deleted the wrong certificate (I backuped it before because I’ll need it again) and deleted the cookies but nothing helped. Changing the setting you’re mentioning here didn’t help either, it is already set to “ask every time”

  3. phocean Post author

    @Anonymous: Have you tried with another browser? Just to make sure that it is not a server setting issue… It could be that there is something wrong on the requirement for client certificate for the directory. Also, check well the logs as if it is a browser issue, you will see a message like “TLS negociation rejected by client”.

  4. beelzi

    The really problematic aspect by choosing “Select automatically” is, that you loose all control about what sites can ask your browser to authenticate with your PERSONAL certificate! Which means, every website secured with SSL can potentially acquire all of the personal information in your personal certificate, which includes an unique fingerprint and may also include your e-mail address, fist and last name, your country, your company and more! Not nice – at all, if you ask me.
    What really would be required, are two options to “Choose automatically / manually for known domains”, which will add webpages/domains to a whitelist with a convenient UI button or a similar feature.

Leave a comment

Your email address will not be published. Required fields are marked *