Re: [Mozilla Enterprise] Inquiry: Firefox error using policy to pull from windows certificate store

[Hoang (US), Victor T]

I forgot to show an example of what I will be trying.


 {
  "policies": {
    "Certificates": {
      "Install": ["C:\\Program Files (x86)\\Mozilla 
Firefox\\cck2\\resources\\certs\\ cert1.cer", "C:\\Program Files (x86)\\Mozilla 
Firefox\\cck2\\resources\\certs\\cert2.cer", 
Firefox\\cck2\\resources\\certs\\cert3.cer", "C:\\Program Files (x86)\\Mozilla 
Firefox\\cck2\\resources\\certs\\cert4.crt"]
    }
  }
}

Something like that? (I’m currently just testing so I’m installing from a 
directory in which cck still exists where my certificates are stored locally on 
the device. I will change it once I can get the certs installed the first time)

Also, once I save this in the json file, I’m guessing it will create the 
directories for me? E.g.:
%USERPROFILE%\AppData\Local\Mozilla\Certificates
%USERPROFILE%\AppData\Roaming\Mozilla\Certificates

Will it need to be a fresh install of firefox, or can I just use my currently 
existing one and it will be created on start up?

Thanks again,
Victor
From: Hoang (US), Victor T
Sent: Friday, August 2, 2019 3:39 PM
To: 'Mike Kaply' <mka...@mozilla.com>
Cc: enterprise@mozilla.org
Subject: RE: [Mozilla Enterprise] Inquiry: Firefox error using policy to pull 
from windows certificate store

I’m giving tinker with this and will get back with my findings. Silly me. 
Thanks!

From: Mike Kaply <mka...@mozilla.com<mailto:mka...@mozilla.com>>
Sent: Friday, August 2, 2019 2:30 PM
To: Hoang (US), Victor T 
<victor.t.ho...@boeing.com<mailto:victor.t.ho...@boeing.com>>
Cc: enterprise@mozilla.org<mailto:enterprise@mozilla.org>
Subject: Re: [Mozilla Enterprise] Inquiry: Firefox error using policy to pull 
from windows certificate store

It should just be about putting them in the right location and setting the 
Certificates->Install policy (if they aren't being imported from the window 
store).

See:

https://github.com/mozilla/policy-templates/blob/master/README.md#certificates--install

Are these client certificates?

Mike Kaply

On Fri, Aug 2, 2019 at 4:18 PM Hoang (US), Victor T 
<victor.t.ho...@boeing.com<mailto:victor.t.ho...@boeing.com>> wrote:
Hello,

My name is Victor. I was wondering if anyone could share any 
experience/expertise/solutions with switching over to policy for managing 
certificates to pull from the windows store. I’m running into some issues even 
after following some of the guides about how to try and pull from my 
organizations windows store locations from 
https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox. 
It seems like the instructions might be a little broad/high level so I could be 
missing some things. Following the guide, I have 
security.enterprise_roots.enabled set to true and checked the windows store 
certificate location in regedit.exe and mmc and they seem to already exist 
(perhaps not in the right directory?). I asked someone in my organization and 
they mentioned that all the stores can be found on the console root (Local 
Computer) under trusted root certification Authorities --> Certificates and it 
all seems to be there as well.

My question:

•         It seems like firefox checks 
HKLM\SOFTWARE\Microsoft\SystemCertificates according to the support page. I’m 
using regedit.exe to navigate to the directory, but I don’t see any sort of 
“Import” option for the certificates I want to embed. I’m wondering how I can 
add my certificates into the location required by firefox? This is what I 
speculate to be the culprit.

Background:

•         Switching from FF 60.8 ESR cck2 over to FF 68.0.1 ESR with policy.json

•         Able to do majority of things such as setting up proxy, changing home 
page, and Trusted Devices installed (for CSSI Library badge authentication, etc)

•         Unable to have certificates be read from the windows store via policy 
unless I manually add them to the Certificate Manager in firefox. (Secure 
Connection Failed: SSL_ERROR_HANDSHAKE_FAILURE_ALERT)
Thanks all,
Victor Hoang

_______________________________________________
Enterprise mailing list
Enterprise@mozilla.org<mailto:Enterprise@mozilla.org>
https://mail.mozilla.org/listinfo/enterprise

To unsubscribe from this list, please visit 
https://mail.mozilla.org/listinfo/enterprise or send an email to 
enterprise-requ...@mozilla.org<mailto:enterprise-requ...@mozilla.org> with a 
subject of "unsubscribe"

_______________________________________________
Enterprise mailing list
Enterprise@mozilla.org
https://mail.mozilla.org/listinfo/enterprise

To unsubscribe from this list, please visit 
https://mail.mozilla.org/listinfo/enterprise or send an email to 
enterprise-requ...@mozilla.org with a subject of "unsubscribe"