I’m developing an extension to display more information about the current TLS connection.
However, I can’t seem to get the certificate chain for self-signed or otherwise
Invalid certificates the user has manually accepted (for e.g. LAN/IP sites, altnet domains, internal sites pre-PKI, etc.)
securityInfo.certificates works fine iff the cert chain leads back up to a CA that’s been explicitly trusted by the user, their IT team, or Mozilla—but, when the certificate chain is otherwise, this is just an empty array.
If this a design choice, to represent the fact that the certificate chain isn’t valid-per-se, then
- It’s redundant with these connections’
- It’s harmful, because it deprives me, the extension developer, access to see the ostensibly-invalid certificate and take action based on its contents
Therefore, I’m asking that, if it’s a bug, it be fixed; and, if it’s a design choice, that it be reconsidered for the above 2 reasons.