Hi David, I think CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE is indeed the correct key that corresponds to HKLM\SOFTWARE\Microsoft\EnterpriseCertificates (though it's hard to find information about this). So if that could be added together with fixing bug 1289865 that would be great!
I've added it to the comments in that bug. Thanks, -- Johan On Fri, Sep 30, 2016 at 10:53 PM, David Keeler <[email protected]> wrote: > Hi Johan, > > Currently the implementation only uses the > CERT_SYSTEM_STORE_LOCAL_MACHINE flag to search for certificates, which > as you've discovered corresponds to the registry location > HKLM\SOFTWARE\Microsoft\SystemCertificates (see [0]). > > We're investigating looking in other locations such as > CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY (which I think corresponds > to HKLM\SOFTWARE\Policy\Microsoft\SystemCertificates) (see [1] and [2]). > > I'm not certain which flag corresponds to > HKLM\SOFTWARE\Microsoft\EnterpriseCertificates, but it might be > CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE. If this turns out to be > correct, we can probably just make that change in bug 1289865 as well. > > Cheers, > David > > [0] > https://dxr.mozilla.org/mozilla-central/rev/9baec74b3db1bf005c66ae2f50bafbdb02c3be38/security/manager/ssl/nsNSSComponent.cpp#974 > [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1289865 > [2] > https://msdn.microsoft.com/en-us/library/windows/desktop/aa388136(v=vs.85).aspx > > On 09/28/2016 02:18 AM, Johan Corveleyn wrote: >> Hi all, this is my first post to this list. >> >> After asking a question in bugzilla issue 1265113 [1], David Keeler >> asked to post to this list instead of discussing in the issue tracker. >> So here we go: >> >> The feature of trusting custom root CA's when they're in Windows' >> truststore (which is the subject of issue 1265113) works as of FF 49 >> (when config option security.enterprise_roots.enable is set to true). >> However, it's not clear to me why FF only trust one particular >> registry location and not the other. If our Root CA is installed in >> HKLM\SOFTWARE\Microsoft\SystemCertificates\Root, it works, but if it's >> installed in HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root, it >> doesn't. Is that intended? How was it decided which registry keys to >> trust? >> >> Our sysadmins tell me EnterpriseCerificates is the location where you >> get the CA cert automatically installed by AD, when you're part of the >> domain. So from where I'm sitting EnterpriseCertificates seems to be >> one of the places that FF should trust (when the option is enabled). >> >> Additional peculiarity: with ProcMon we see that firefox.exe actually >> reads the certs under EnterpriseCertificates from the registry (in >> addition to reading SystemCertificates), so why isn't it using them? >> >> >> [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1265113 (Windows >> platform support for trusting enterprise roots) >> > > > _______________________________________________ > Enterprise mailing list > [email protected] > https://mail.mozilla.org/listinfo/enterprise > > To unsubscribe from this list, please visit > https://mail.mozilla.org/listinfo/enterprise or send an email to > [email protected] with a subject of "unsubscribe" _______________________________________________ Enterprise mailing list [email protected] https://mail.mozilla.org/listinfo/enterprise To unsubscribe from this list, please visit https://mail.mozilla.org/listinfo/enterprise or send an email to [email protected] with a subject of "unsubscribe"
