On 08/09/2017 05:26 AM, Lance Spencer wrote: > Thanks for the reply. I'm trying to understand the process better with > FireFox and the Microsoft certificate stores, and this is helping. > > I know my > HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates > registry key holds my "Root" certificates for the sites I'm going to. (This > location also corresponds to the Certificates (Local Computer)\Trusted Root > Certificates\Certificates container in certmgr.msc.) > > I tried the setting " logging.pipnss":"Debug" and it didn't produce any > output from "cmd.exe" or "Powershell". > > So for my understanding, does the "security.enterprise_roots.enabled" > setting only allow for pulling the "root" certs from the Microsoft cert > stores?
Correct - the implementation only imports trusted root certificates. > We have another mechanism that populates the Microsoft Trusted Roots and > Intermediate CAs containers with all our required Root & Intermediate CA > certs. All of the CA certificates that Firefox would need to access would > already be in the Microsoft certificate stores. As far as I am aware of, > there is no ability for the site that is being accessed, to provide > Intermediate CA certs during the TLS handshake. The TLS specification requires that servers send a list of certificates starting from the server's certificate and chaining to a trusted self-signed root certificate (which may be omitted), so it's not surprising you're running into compatibility issues by not including intermediate certificates. See https://tools.ietf.org/html/rfc5246#section-7.4.2 ("certificate_list") Hope this helps, David > Will Firefox still only look at "Root" CA certs? > > Sincerely, > > Lance Spencer > Juno Technologies > [email protected] > Cell: (757)846-5834 > > > -----Original Message----- > From: Enterprise [mailto:[email protected]] On Behalf Of David > Keeler > Sent: Tuesday, August 8, 2017 4:51 PM > To: [email protected] > Subject: Re: [Mozilla Enterprise] CAs already in Local Computer Cert Stores > aren't accessed by Firefox. > > Here are some things you could try: > > * Add an about:config preference "logging.pipnss" with the string value > "Debug". Then, set "security.enterprise_roots.enabled" to true and see what > output you get in the console (not the browser console but an OS console - > I'm not actually sure how to do this on Windows - run Firefox from > powershell or cmd.exe?) > > * Where are the certificates you're trying to use installed on Windows? > Firefox examines CERT_SYSTEM_STORE_LOCAL_MACHINE, > CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY, and > CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE, which correspond to > HKLM\SOFTWARE\Microsoft\SystemCertificates, > HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates, > and HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates, > respectively. > > * Are the servers you're trying to access sending the appropriate > intermediate certificates? Firefox doesn't import intermediates via this > mechanism - they must be sent in the TLS handshake. > > Hope this helps, > David > > On 08/08/2017 12:02 PM, Lance Spencer wrote: >> I've tried to review many blogs/forum strings that discuss getting >> Firefox to use the local computer certificates stores on Windows. I >> didn't want to bother this group with this issue unless I at least >> tried to figure some things out for myself. So far I have been >> unsuccessful to get this to work. >> >> >> >> We use an executable that installs CA certs in the Trusted Root and >> Intermediate certificate local computer certificate stores on Window >> 7/10 workstations, as well as 2008/2012/2016 servers. We have domains >> that have anywhere from 200 to 3000 computers that need CA >> certificates to be updated on a regular basis. If FireFox could use >> those same certs, it'd be a lot less complicated to update the Firefox >> settings to use the appropriate root & intermediate CA certs. >> >> >> >> We would like to leverage the security.enterprise_roots.enabled >> setting to allow the Firefox browser to use the CA certificates we >> place in the local computer certificate stores. >> >> >> >> I've tried configuring a Windows 7 (64-bit) machine with Firefox ESR >> 52.3, to use the local computer certificate stores. >> security.enterprise_roots.enabled=true. I've then tried to browse to >> HTTPS sites that require our workstations to have the supporting CAs >> installed, before the website is presented. So far, I've been unable >> to get this to work. Is there some setting/configuration that I may be >> overlooking, which is causing Firefox to not use the local computer >> certificate stores? I've also tried doing the same on my work laptop & >> get the same results. (using FireFox 55.0 (32-bit)) >> >> >> >> If I manually load the root and intermediate certificates into Firefox >> on a workstation, I'm able to access the secure websites. >> >> >> >> Any assistance would be greatly appreciated to get this option to work. >> >> >> >> Sincerely, >> >> >> >> Lance Spencer >> >> >> >> _______________________________________________ >> Enterprise mailing list >> [email protected] >> https://mail.mozilla.org/listinfo/enterprise >> >> To unsubscribe from this list, please visit > https://mail.mozilla.org/listinfo/enterprise or send an email to > [email protected] with a subject of "unsubscribe" >> >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Enterprise mailing list [email protected] https://mail.mozilla.org/listinfo/enterprise To unsubscribe from this list, please visit https://mail.mozilla.org/listinfo/enterprise or send an email to [email protected] with a subject of "unsubscribe"
