33

Our network admin recently enabled HTTPS inspection on our firewall/router. For IE users this is fine because the certs have all been distributed via Active Directory for domain-joined machines. However, we have a number of Firefox users that are now throwing certificate errors on practically every HTTPS site.

Firefox uses their own CA store, and they're real proud of it too. Is there any way to get Firefox to trust the system certificate store by default? I see a lot of posts on how to do this in Linux, but nothing for Windows.

I suspect from this post that it's not possible, but that post is almost 4 years old.

Wes Sayeed
  • 1,862
  • 6
  • 27
  • 41
  • [setting-certificate-authorities-firefox](https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox) – LonnieBest May 21 '20 at 04:04

4 Answers4

50

Since Firefox 49 there is some support for Windows CA certificates and support for Active Directory provided enterprise root certificates since Firefox 52. It is also supported in macOS to read from the Keychain since version 63.

Since Firefox 68 this feature is enabled by default in the ESR (enterprise) version, but not in the (standard) rapid release.

You can enable this feature for Windows and macOS in about:config by creating this boolean value:

security.enterprise_roots.enabled

and set it to true.

For GNU/Linux, this is usually managed by p11-kit-trust and no flag is needed.

Deploying the configuration system wide

Since Firefox 64, there is a new and recommended way by using policies, documented at https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox

For legacy versions, the Firefox installation folder can be retrieved from Windows registry, then go to defaults\pref\ subdirectory and create a new file with the following:

/* Allows Firefox reading Windows certificates */    
pref("security.enterprise_roots.enabled", true);

Save it with .js extension, e.g. trustwincerts.js and restart Firefox. The entry will appear in about:config for all users.

Deploying Windows Certificates system wide

In Firefox from 49 until 51, it only supports the "Root" store. Since Firefox 52, it supports other stores, including those added from domain via AD.

This is a bit out of scope but explains which was the only certificate store supported by Firefox for versions 49 to 51 or just for local testing. Because this deploys for all local machine users, it requires Administrator privileges in your CMD/PowerShell window or in your own automated deployment script.:

certutil -addstore Root path\to\cafile.pem

This may also be done from the Management Console by clicking a lot of windows if you prefer the mouse way (How to: View Certificates with the MMC Snap-In).

  • Do you know in which certificate store the cert needs to be loaded into for this to work? – ETL Dec 21 '16 at 21:12
  • @ETL I have tested with local machine system trust store only, which is good as it works with all machine accounts. According to the Mozilla wiki page mentioned in another reply they expect to complete full cert support (including AD certs) in Firefox 52. By default, certmgr.msc shows user certstore, but you need to add it to the local machine certstore. You can also use Windows certutil (don't confuse with Mozilla's NSS certutil) to deploy it. –  Dec 21 '16 at 21:23
  • Arg. I have the certificate in place (I'm adding them using Group Policies to the Trusted Root Certification Authorities of the local machine). I turned on the Firefox option but the cert is still not used on FF 50.1. Is that were you have your certs? – ETL Dec 22 '16 at 03:30
  • 2
    The checklist is: 1: Firefox does not list Windows certificates in the Advanced -> Certificates, but should work as trusted anyways. 2: The server certificate must be created with that CA, using a CA directly as server certificate won't work. 3: The server certificate must be generated properly, inheriting CA policies for subject alternate names. 4: in case the certstore is the wrong one, try using Microsoft's certutil, I do this: in an Administrator cmd window: `certutil -addstore Root path\to\cafile.pem` (or .crt) –  Dec 22 '16 at 14:34
  • 1
    This is also mentioned in [Mozilla Wiki](https://wiki.mozilla.org/CA:AddRootToFirefox). – Franklin Yu Oct 24 '17 at 18:54
2

Have you considered deploying those certificates to Firefox as well as to the Windows cert store?

https://wiki.mozilla.org/CA:AddRootToFirefox details a few options:

  1. Modify the certificate database directly using certutil.

  2. Use Firefox's autoconfig feature, by placing a javascript file alongside the binary, to add the certificates:

    var certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB);
var certdb2 = certdb;
try {
    certdb2 = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB2);
} catch (e) {}
cert = "MIIHPT...zTMVD"; // This should be the certificate content with no line breaks at all.
certdb2.addCertFromBase64(cert, "C,C,C", "");
  3. Distribute the certificate database files directly.
  4. Package Firefox for installation, including the certificates in your distribution.
  5. Use CCK2 to create an extension that adds the certificates.
wfaulk
  • 6,828
  • 7
  • 45
  • 75
1

There isn't a good way handle forcing the use of the system store, but there is a nice workaround (force the use of a customized firefox compatible store).

The bit of script below works well at login / logoff. 

Stop-Process -processname firefox

$DBPath="\\yourserver\yourshare\cert8.db"
$FirefoxProfiles=Get-ChildItem $Env:appdata\Mozilla\Firefox\Profiles     
$DB=Get-Item $DBPath    
ForEach ( $Profile in $FirefoxProfiles )
{
    $FullPath=join-path $Env:appdata\Mozilla\Firefox\Profiles $Profile
    Copy-Item $DB $FullPath
    $FullPath
}
Tim Brigham
  • 15,465
  • 7
  • 72
  • 113
  • You could even expand on an idea like this and grab the current list of trusted certs out of the Windows store and generate the cert8.db file on the fly using the Mozilla certutil referenced in wfaulk's answer. – Ryan Bolger Sep 16 '15 at 04:48
1

There is free project that provides the ability to manage Firefox root certificates using group policies. You can either install or remove root certificates from Firefox database.

Slipeer
  • 3,255
  • 2
  • 18
  • 32