Meanwhile I got it fixed. Apparently I had some problems with my browser (I mostly use a Chromebook) not showing certain items on screen and sometimes not giving feedback about saves. Seems to work fine with the current code :).
Regarding my security certificate: that is perfectly fine. It is not the safest certificate (which is a self-signed certificate contrary to what vendors try to tell you), but a free from CACERT. Since my site will be geared towards white-hat hackers, it is some kind of inside joke while at the same time scares away some spammers. Bit off-topic to explain the inside joke, but:
According to group thinking, certificates need a trusted third party to proof that an identity (e.g. your email, or a URL of a server) belongs to a person or a server. Those trusted third parties are the certificate authorities. An organised man-in-the-middle in a security protocol! Crazy! Especially since none of these authorities really can be trusted: many of them have been hacked, most of them are US based, in this post-Snowden era you already know who else has the private keys of those CA ... They even invented the more expensive EV-SLL ("enhanced validation") certificates, in fact admitting that before they didn't really validate an identity as documented in their own procedures. I once worked for a company that owned 3 of those certificate authorities. We were not even using the certificates internally ...
It is even worse. Not you" decide which certificate authority to trust, the browser vendors maintain a list, that is even different between the browser vendors. If they have that CA listed in the browser, you won't even see a warning. It costs for a certificate vendor about 50.000 USD to be "trusted" by the browser companies. When I see at the "trusted" CA list I notice a lot of malicious organisations yet they are trusted by the browsers. And mal-ware writers even know how to modify the list. A broken security model, or at least the implementation, yes ...
Personally I think we can fix the model, but keep all browser vendors and certificate authorities outside the picture. The first problem is to trust that a specific public key belongs to a person/server. The problem was distribution. Really? I can send/publicize my certificate in hundreds of ways (We-chat attachment, Weibo posting, Facebook posting, tweet, ...). It unfeasible to intercept/modify all possible communications for any government or malicious organisation even if you control my ISP. Maybe we can have something like bit-coin transactions, certificate validated if X third parties agree ...
DO not even get me started about the current OpenSSL issues :).
