====== Overriding Security Certificate Errors in Zotero ====== 

**Note:** These instructions are only for use with security software that intercepts/scans HTTPS connections, a WebDAV server with a self-signed certificate, or an institutional network that monitors encrypted traffic using a custom root certificate authority (CA). You should never override certificate errors unless you [[kb:ssl_certificate_error|understand the consequences]]. When in doubt, please contact your network administrator or ISP.
===== Self-Signed Certificate =====

Zotero does not currently provide a graphical way to whitelist self-signed certificates, so you will need to copy files from a working Firefox installation.

If you are using a WebDAV server with a self-signed certificate, you can open the WebDAV URL in Firefox, accept the certificate, and then copy the cert_override.txt file from the [[http://support.mozilla.com/kb/Profiles|Firefox profile directory]] to the [[profile directory|Zotero profile directory]].

==== Zotero 6 ====

Zotero 6 expects a cert_override.txt file created by Firefox 60 ESR, with a line in this form:

<code>192.168.xxx.xxx:1234    OID.2.16…    1D:E4:07:…    U    AAAA…</code>

If you create an override file with a newer version of Firefox, your cert_override.txt file may contain a line with a trailing colon after the port number ("1234" in this example) and may be missing one or more letters before "AAAA" ("U" in the above example):

<code>192.168.xxx.xxx:1234:    OID.2.16…    1D:E4:07:…    AAAA…</code>

To use such a file in Zotero 6, strip the colon from after the port number and add a "U" (untrusted cert) before "AAAA". To allow for a hostname mismatch, add "M".
==== Zotero 7 ====

Zotero 7 can currently read a cert_override.txt file from Firefox 115 ESR. A file from a later version of Firefox may or may not work.

===== Custom Certificate Authority =====
If you or your organization is using a custom certificate authority, which can be the case when using security software or connecting via a proxy server, Zotero may need to be configured to accept the custom CA:

  * **Windows/Mac:** Zotero 7 will automatically use the system root certificate store, which in most cases should allow it to work automatically like other browsers on the system.
  * **Linux**: Zotero is based on Firefox and uses the same certificate mechanism, so you or your IT department will need to configure Firefox for the custom CA in a new Firefox 115 ESR profile and then copy the cert9.db, key4.db, and pkcs11.txt files from the [[http://support.mozilla.com/kb/Profiles|Firefox profile directory]] to the [[profile directory|Zotero profile directory]].


{{tag>kb }}