2

So, I went down the route of setting up an enterprise CA in my domain so we can enable SSL on our internal web apps. For my test base, I am using XAMPP on Windows with a .local FQDN. I am using Microsoft Active Directory Certificate Services for the CA.

After (many) trials and tribulations, I have got a mostly-working example. So, the web app works on IE, Edge and Chrome, however it does not work on Firefox.

The Firefox error(s) are:

Warning: Potential Security Risk Ahead Error code:

SEC_ERROR_UNKNOWN_ISSUER

Could not verify this certificate because the issuer is unknown

I have tested this on several workstations with the same results. Firefox is the latest version.

I get no errors when I load the cert in openssl: 

openssl x509 -in "C:\xampp\apache\conf\ssl.crt\certname.crt"

I get the two below errors when I run: 

openssl s_client -connect server.local:443

verify error:num=20:unable to get local issuer certificate

verify error:num=21:unable to verify the first certificate

I have the option of downloading a 'Certificate chain' from my CA but this comes in a .p7b format. Contents of this are a single certificate.

When I convert the file to a .crt or even use the .p7b in httpd-xampp.conf, Apache won't start up afterwards. It starts fine without the below entry.

SSLCertificateChainFile "conf/ssl.crt/chain-cert.crt"

Any ideas?

kenlukas
  • 2,886
  • 2
  • 14
  • 25
James
  • 23
  • 3
  • you must install your root CA in Firefox. IE, Edge, Chrome use windows certificate store to establish a trust, but Firefox maintains its own store and you need to install root CA cert in trust store in Firefox. – Crypt32 Aug 22 '19 at 13:00
  • Thanks - I was unaware that FF had gone that way. I see I can override it on a browser basis via about:config or push out across the domain with a GPO – James Aug 22 '19 at 14:10
  • Please stop abusing TLDs, `.local` is for mDNS per RFC 6762 and you should save yourself the trouble of opening another question later down the road. – Ginnungagap Aug 22 '19 at 22:39

1 Answers1

2

According to Mozilla's documentation, as of FF64 the recommended way to install certificates is through an Enterprise Policy. Due to a (currently) open bug you need to manually install all intermediate certs as well as the root.

You can download Firefox GPO templates from here: https://github.com/mozilla/policy-templates/tree/master/windows

You can individually test by setting "security.enterprise_roots.enabled" preference to true in about:config.

More detailed information can be found here: https://wiki.mozilla.org/CA/AddRootToFirefox

RobbieCrash
  • 1,131
  • 7
  • 25
  • 1
    Thanks - GPO worked perfectly. Worth noting for future users I didn't need to include intermediate cert or cert chains. – James Aug 23 '19 at 07:49