User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0 (Beta/Release) Build ID: 20140716183446 Steps to reproduce: upgraded from firefox 30 to 31 visited a tripwire enterprise 8.3 console at https://some.host.local There is a two-certificate chain for some.host.local --> TripmasterDSA Actual results: Got a message: An error occurred during a connection to some.host.local Issuer certificate is invalid. (Error code: sec_error_ca_cert_invalid) Expected results: In earlier versions, before the pkix conversion, we got the "This Connection is Untrusted" dialog, which allowed adding an exception. IE11 and Chrome 37 and Firefox 30 all do this. In Firefox 31 I had to use the workaround of: openssl s_client -connect some.host.local:443 -showcerts to obtain tripwire console's cert, then hand-import it using firefox's certificate manager | authorities --> import before visiting http://some.host.local would offer the "This connection is untrusted ..." dialog. While I certainly agree that a 3rd party application vendors self-signed cert should not be included in mozilla's default root cert authorities pool, the behavior of the "This connection is untrusted" dialog should deal with a multi-cert chain, not just the server you are trying to connect to.