Hello all,
I had a certificate expire. Trying to update it and I'm using the policy.json
file with the Install feature instead of ImportEnterpriseRoots so that I can be
OS Agnostic. Example:
"Certificates": {
"Install": ["C:\\Program Files\\Mozilla Firefox\\certs\\cert1.crt",
"C:\\Program Files\\Mozilla Firefox\\certs\\cert2.cer]
}
I tried updating my certificate by giving it the same name and file path,
however, I don't think the policy json knows to pull the new certificate due to
the certificate having the same name. I was able to update the certificate only
by:
* Creating a new profile (in this case, it keeps the old one, and writes
the new one as well, even with the same name)
* Manually adding the new one in. (also keeps the old one, and installs the
new one so they both exist)
My company has the same certificates in the Windows certificate Store, so I
tested switching over to using "ImportEnterpriseRoots":True, but the problem is
if you already loaded the certs with the Install method I listed above, Firefox
doesn't seem to switch over to ImportEnterpriseRoots probably because the old
certificates are already existing in the local store on the browser and keeps
using that expired one instead of checking the windows store for new ones. It
does however, work on a clean install because the profile isn't loaded yet and
the certificates aren't installed yet so ImportEnterpriseRoots becomes the
default.
Does anyone have any recommendations on updating the cert file without changing
its name? Or perhaps even how to switch from using Install policy to
ImportEnterpriseRoots policy for certificates? It sounds like the easiest work
around might be to just include another Install line and renaming the newer
certificate. The downside to this is that the expired certificate will still
exist in the browser certificate store. Which leads me to wonder, is there a
policy that removes older certificates from the local browser store? I could
see this getting messy for older certificates over time.
Grateful for any suggestions!
Thanks all,
Victor Hoang
_______________________________________________
Enterprise mailing list
[email protected]
https://mail.mozilla.org/listinfo/enterprise
To unsubscribe from this list, please visit
https://mail.mozilla.org/listinfo/enterprise or send an email to
[email protected] with a subject of "unsubscribe"
