Strange question, but bear with me.

I've run the keystore generator (alfresco-ssl-generator-master) to produce a browser client certificate to communicate with the Solr console. The keystore (browser.p12) has to be imported into the browser key manager. There are instructions to do this (but, of course, they're always out of date because browsers change all the time).

The problem is that the browser doesn't trust this certificate, so the instructions tell you to add a security exception for your site ("This is due to the certificate not being tied to the server IP address", which is incorrect).

However, you can't add a security exception if your site uses HSTS (Strict-Transport-Security), and I imagine that most sites nowadays use HSTS. The client certificate ('Custom Browser Client') is signed by 'Custom Alfresco CA', and the actual problem is that 'Custom Alfresco CA' has to be imported as a trusted root certificate.

The client can't add the security exception because of HSTS, so should I ask the client to add the trusted root certificate instead? This sounds like it might be a really bad idea. How was the certificate generated? How easy would it be for an attacker to recreate this cert?

The alternative is tell the client to find another way to ignore the security exception (the Chrome 'thisisunsafe' easter egg, or whatever). Thoughts?