The documentation for the signtool program (including the README file in the sources) explains how to generate a self-signed test cert and output it to a file named x509.cacert. The reader is advised: > x509.cacert can be published on a web page and imported into browsers > that visit that page. recent postings in mozilla.dev.tech.crypto indicate that users are doing just that! AAARRRGGGHHH!!!