[GH-ISSUE #1859] Windows: MOZILLA_PKIX_CA_CERT_USED_AS_END_ENTITY in Firefox #1852

New issue

Closed

opened 2026-03-03 19:54:56 +03:00 by kerem · 1 comment

kerem commented 2026-03-03 19:54:56 +03:00

Owner

Copy link

Originally created by @cwirving on GitHub (Nov 27, 2023).
Original GitHub issue: https://github.com/ProxymanApp/Proxyman/issues/1859

Description

The TLS certificate used by Proxyman for Windows has the CA basic constraint set to true (unlike on macOS where it is false, which means that Firefox fails to validate any intercepted connections. The underlying Mozilla code clearly checks for this condition and has returned an error for many years.

See the Mozilla documentation for an explanation of the error code.

Steps to Reproduce

1. Install Proxyman for Windows, including Firefox-specific instructions
2. Start Proxyman
3. Set up SSL proxying for a domain of your choice
4. Visit any page in the domain using Firefox: it fails with MOZILLA_PKIX_CA_CERT_USED_AS_END_ENTITY
5. Visit the same page using another browser: it works and you can see the proxied requests in Proxyman

Current Behavior

Firefox rejects the proxied certificate because it has the Certificate Authority basic constraint enabled.

Expected Behavior

The certificate is acceptable to Firefox and the page opens normally.

Environment

• App version: Proxyman for Windows 2.8.0
• Windows version: Windows 11 22H2 (Build 22621.2715)

Originally created by @cwirving on GitHub (Nov 27, 2023). Original GitHub issue: https://github.com/ProxymanApp/Proxyman/issues/1859 ## Description The TLS certificate used by Proxyman for Windows has the CA basic constraint set to true (unlike on macOS where it is false, which means that Firefox fails to validate any intercepted connections. The [underlying Mozilla code](https://github.com/mozilla/gecko-dev/blob/acab011f9478c025c214139fcb811f2dd4f2fe86/security/nss/lib/mozpkix/lib/pkixcheck.cpp#L703) clearly checks for this condition and has returned an error for many years. See the [Mozilla documentation](https://wiki.mozilla.org/SecurityEngineering/x509Certs#Error_Codes_in_Firefox) for an explanation of the error code. ## Steps to Reproduce 1. Install Proxyman for Windows, including Firefox-specific instructions 2. Start Proxyman 3. Set up SSL proxying for a domain of your choice 4. Visit any page in the domain using Firefox: it fails with MOZILLA_PKIX_CA_CERT_USED_AS_END_ENTITY 5. Visit the same page using another browser: it works and you can see the proxied requests in Proxyman ## Current Behavior Firefox rejects the proxied certificate because it has the Certificate Authority basic constraint enabled. ## Expected Behavior The certificate is acceptable to Firefox and the page opens normally. ## Environment - App version: Proxyman for Windows 2.8.0 - Windows version: Windows 11 22H2 (Build 22621.2715)

kerem 2026-03-03 19:54:56 +03:00

• closed this issue
• added the
  bug
  label

kerem commented 2026-03-03 19:54:57 +03:00

Author

Owner

Copy link

@cwirving commented on GitHub (Nov 27, 2023):

I'm sorry. I didn't realize that there was a different GitHub project for the Windows version. Will close this one and move it over there.

<!-- gh-comment-id:1828446479 --> @cwirving commented on GitHub (Nov 27, 2023): I'm sorry. I didn't realize that there was a different GitHub project for the Windows version. Will close this one and move it over there.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

6.9.0

6.8.0

6.7.0

6.6.0

6.5.0

6.4.0

6.3.0

6.2.0

6.1.0

6.0.2

6.0.0

6.0.1

5.25.0

5.24.0

5.23.0

5.23.1

5.22.0

5.20.0

5.21.0

5.19.0

5.18.0

5.17.0

5.16.0

5.15.0

5.14.0

5.12.2

5.12.1

5.12.0

5.11.0

5.10.0

5.8.0

5.9.0

5.7.0

5.6.1

5.6.0

5.5.0

5.4.0

5.2.0

5.3.0

5.1.1

5.0.0

4.16.0

4.15.0

4.14.0

4.13.0

4.12.0

4.11.0

4.10.0

4.9.1

4.9.0

4.8.2

4.8.1

4.8.0

4.7.1

4.7.0

4.6.1

4.6.0

4.5.0

4.4.0

4.3.1

4.3.0

4.2.1

4.2.0

4.1.0

4.0.0

3.15.0

3.14.0

3.13.0

3.12.0

3.11.0

3.10.0

3.9.0

3.8.0

3.7.0

3.6.2

3.6.1

3.6.0

3.5.2

3.5.1

3.5.0

3.4.0

3.3.0

3.2.0

3.1.0

3.0.0

2.35.4

2.35.3

2.35.2

2.35.1

2.35.0

2.34.1

2.34.0

2.33.0

2.32.1

2.32.0

2.31.0

2.30.0

2.29.0

2.28.0

2.27.0

2.26.0

2.25.0

2.24.0

2.23.0

2.22.0

2.21.1

2.21.0

2.20.0

2.19.0

2.18.0

2.17.0

2.16.1

2.16.0

2.15.2

2.15.1

2.15.0

2.14.2

2.14.1

2.14.0

2.13.0

2.12.0

2.11.1

2.11.0

2.10.0

2.9.1

2.9.0

2.8.0

2.7.0

2.6.0

2.5.3

2.5.2

2.5.1

2.5.0

2.4.2

2.4.1

2.4.0

2.3.0

2.2.0

2.1.1

2.1.0

2.0.1

2.0.0

1.24.0

1.23.0

1.22.0

1.21.0

1.20.0

1.19.0

1.18.1

1.18.0

1.17.1

1.17.0

1.16.0

1.15.0

1.14.1

1.14.0

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.3

1.9.2

1.9.1

1.9.0

1.8.0

1.7.2

1.7.1

1.7.0

1.6.2

1.6.1

1.6.0

1.5.1

1.5.0

1.4.7

1.4.6

1.4.5.1

1.4.5

1.4.4.1

1.4.4

1.4.3

1.4.2

1.4.1.1

1.4.1

1.4

1.3.9

1.3.8

1.3.7

1.3.6

1.3.5

1.3.4.3

1.3.4.2

1.3.4.1

1.3.4

1.3.3

1.3.2

1.3.1

1.3

1.2

1.1.2

1.1.1

1.1

1.0.3

1.0.2

1.0

0.8.1

0.8

0.7

0.6

0.5.1

0.5

v0.4.1

Labels

Clear labels   

Discussion

  

Feature request

  

In Progress...

  

Plugins

  

Waiting response

  

Windows

  

Windows

  

bug

  

duplicate

  

enhancement

  

feature

  

good first issue

  

iOS

  

macOS 10.11

  

question

  

wontfix

  

✅ Done

No labels

Discussion

Feature request

In Progress...

Plugins

Waiting response

Windows

Windows

bug

duplicate

enhancement

feature

good first issue

iOS

macOS 10.11

question

wontfix

✅ Done

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/Proxyman#1852

No description provided.