Hi Johan, Currently the implementation only uses the CERT_SYSTEM_STORE_LOCAL_MACHINE flag to search for certificates, which as you've discovered corresponds to the registry location HKLM\SOFTWARE\Microsoft\SystemCertificates (see [0]).
We're investigating looking in other locations such as CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY (which I think corresponds to HKLM\SOFTWARE\Policy\Microsoft\SystemCertificates) (see [1] and [2]). I'm not certain which flag corresponds to HKLM\SOFTWARE\Microsoft\EnterpriseCertificates, but it might be CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE. If this turns out to be correct, we can probably just make that change in bug 1289865 as well. Cheers, David [0] https://dxr.mozilla.org/mozilla-central/rev/9baec74b3db1bf005c66ae2f50bafbdb02c3be38/security/manager/ssl/nsNSSComponent.cpp#974 [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1289865 [2] https://msdn.microsoft.com/en-us/library/windows/desktop/aa388136(v=vs.85).aspx On 09/28/2016 02:18 AM, Johan Corveleyn wrote: > Hi all, this is my first post to this list. > > After asking a question in bugzilla issue 1265113 [1], David Keeler > asked to post to this list instead of discussing in the issue tracker. > So here we go: > > The feature of trusting custom root CA's when they're in Windows' > truststore (which is the subject of issue 1265113) works as of FF 49 > (when config option security.enterprise_roots.enable is set to true). > However, it's not clear to me why FF only trust one particular > registry location and not the other. If our Root CA is installed in > HKLM\SOFTWARE\Microsoft\SystemCertificates\Root, it works, but if it's > installed in HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root, it > doesn't. Is that intended? How was it decided which registry keys to > trust? > > Our sysadmins tell me EnterpriseCerificates is the location where you > get the CA cert automatically installed by AD, when you're part of the > domain. So from where I'm sitting EnterpriseCertificates seems to be > one of the places that FF should trust (when the option is enabled). > > Additional peculiarity: with ProcMon we see that firefox.exe actually > reads the certs under EnterpriseCertificates from the registry (in > addition to reading SystemCertificates), so why isn't it using them? > > > [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1265113 (Windows > platform support for trusting enterprise roots) >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Enterprise mailing list [email protected] https://mail.mozilla.org/listinfo/enterprise To unsubscribe from this list, please visit https://mail.mozilla.org/listinfo/enterprise or send an email to [email protected] with a subject of "unsubscribe"
