Hi all, this is my first post to this list. After asking a question in bugzilla issue 1265113 [1], David Keeler asked to post to this list instead of discussing in the issue tracker. So here we go:
The feature of trusting custom root CA's when they're in Windows' truststore (which is the subject of issue 1265113) works as of FF 49 (when config option security.enterprise_roots.enable is set to true). However, it's not clear to me why FF only trust one particular registry location and not the other. If our Root CA is installed in HKLM\SOFTWARE\Microsoft\SystemCertificates\Root, it works, but if it's installed in HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root, it doesn't. Is that intended? How was it decided which registry keys to trust? Our sysadmins tell me EnterpriseCerificates is the location where you get the CA cert automatically installed by AD, when you're part of the domain. So from where I'm sitting EnterpriseCertificates seems to be one of the places that FF should trust (when the option is enabled). Additional peculiarity: with ProcMon we see that firefox.exe actually reads the certs under EnterpriseCertificates from the registry (in addition to reading SystemCertificates), so why isn't it using them? [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1265113 (Windows platform support for trusting enterprise roots) -- Johan _______________________________________________ Enterprise mailing list [email protected] https://mail.mozilla.org/listinfo/enterprise To unsubscribe from this list, please visit https://mail.mozilla.org/listinfo/enterprise or send an email to [email protected] with a subject of "unsubscribe"
