Hi Michael, Glad to see I'm not the only one running into these issues. Though it's not exactly clear what's precisely going on in your situation. In my case, I saw that if I manually copied the specific cert from EnterpriseCertificates to SystemCertificates (creating a new key with the same value, and copying the blob), then it worked.
But indeed, I also found it quite strange that, using ProcMon, I could see that firefox really read all the registry keys in EnterpriseCertificates, but didn't turn out to trust them. Maybe that registry access is done by another part of the FF code, not related to trusting root CA's ... hard to say. Anyway, given David's response I added the request to also trust CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE (aka HKLM\SOFTWARE\Microsoft\EnterpriseCertificates, if I understand correctly) to bug 1289865 [1]. Crossing my fingers now :-) ... [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1289865 -- Johan On Sat, Oct 1, 2016 at 9:33 AM, Michael Haase <[email protected]> wrote: > Hi, > > we deploy our own certificates via GPO to our clients. > Those are (only) in HKLM\SOFTWARE\Microsoft\EnterpriseCertificates (not in > HKLM\SOFTWARE\Microsoft\SystemCertificates). > > I put a Firefox 49 portable on USB stick to test the same version and > profile on different machines and different Windows users. And I always call > the same internal https intranet site to see if I can open it without > certificate interaction. > > On a Windows 10 x64 test machine with standard user it works. > On my own Windows 7 x86 machine with my user having admin rights (but you > work without admin rights unless Windows requests them via UAC), it does not > work. Starting Firefox as another user and running it as a standard user, it > does not work either. > On a second Windows 7 x86 machine from my colleague the same, it does not > work. > On a third Windows 7 x86 machine it works with its standard user, also with > my test standard user, and also if I start Firefox with my admin user. > > So, it seems to be the machine configuration whether it works or not. But I > do not know what it is. > All machines are deployed centrally using SCCM. And all Windows 7 machines > have received the same updates. > > I did tests with Process Monitor on all machines, and I can see that Firefox > reads both registry paths mentioned above (SystemCertificates and > EnterpriseCertificates), I can see nothing that helps me understand why it > does work on some machines and not on others. > > I know that my tests are quite limited to very few machines and users, but I > wanted to share that information with you, maybe you can help. > > But what David writes, that Firefox does right now not use > EnterpriseCertificates confuses me, as our certificates are only there, and > I checked SystemCertificates location in registry - they are not in there, > only in EnterpriseCertificates and it works on some machines. And why does > Process Monitor show that Firefox reads EnterpriseCertificates? > > Cheers, > Michael > > _______________________________________________ > Enterprise mailing list > [email protected] > https://mail.mozilla.org/listinfo/enterprise > > To unsubscribe from this list, please visit > https://mail.mozilla.org/listinfo/enterprise or send an email to > [email protected] with a subject of "unsubscribe" _______________________________________________ Enterprise mailing list [email protected] https://mail.mozilla.org/listinfo/enterprise To unsubscribe from this list, please visit https://mail.mozilla.org/listinfo/enterprise or send an email to [email protected] with a subject of "unsubscribe"
