Michael, do you deploy using GPO or via AD Certificate services? If I understand correctly, deploying CAs using GPO result them beeing stored in HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates deploying CAs using AD Certificate services results them beeing stored in HKLM\SOFTWARE\Microsoft\EnterpriseCertificates
The behaviour you are describing may be due the fact the machines are in different OUs and the CAs are rolled out to specific OUs only!? Also, FF neither trusts certis in HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates or HKLM\SOFTWARE\Microsoft\EnterpriseCertificates. It only trusts certificates stored at HKLM\SOFTWARE\Microsoft\SystemCertificates. There is no way certificates are stored at the latter location when distributed using GPOs -> This means your FF will not trust your certs distributed using GPOs unless you have another services which copies them from HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates to HKLM\SOFTWARE\Microsoft\SystemCertificates Bruno -----Original Message----- From: Enterprise [mailto:[email protected]] On Behalf Of Michael Haase Sent: Saturday, October 1, 2016 9:34 AM To: [email protected] Subject: Re: [Mozilla Enterprise] Trusting Root CA's on Windows: which registry keys? (issue 1265113) Hi, we deploy our own certificates via GPO to our clients. Those are (only) in HKLM\SOFTWARE\Microsoft\EnterpriseCertificates (not in HKLM\SOFTWARE\Microsoft\SystemCertificates). I put a Firefox 49 portable on USB stick to test the same version and profile on different machines and different Windows users. And I always call the same internal https intranet site to see if I can open it without certificate interaction. On a Windows 10 x64 test machine with standard user it works. On my own Windows 7 x86 machine with my user having admin rights (but you work without admin rights unless Windows requests them via UAC), it does not work. Starting Firefox as another user and running it as a standard user, it does not work either. On a second Windows 7 x86 machine from my colleague the same, it does not work. On a third Windows 7 x86 machine it works with its standard user, also with my test standard user, and also if I start Firefox with my admin user. So, it seems to be the machine configuration whether it works or not. But I do not know what it is. All machines are deployed centrally using SCCM. And all Windows 7 machines have received the same updates. I did tests with Process Monitor on all machines, and I can see that Firefox reads both registry paths mentioned above (SystemCertificates and EnterpriseCertificates), I can see nothing that helps me understand why it does work on some machines and not on others. I know that my tests are quite limited to very few machines and users, but I wanted to share that information with you, maybe you can help. But what David writes, that Firefox does right now not use EnterpriseCertificates confuses me, as our certificates are only there, and I checked SystemCertificates location in registry - they are not in there, only in EnterpriseCertificates and it works on some machines. And why does Process Monitor show that Firefox reads EnterpriseCertificates? Cheers, Michael _______________________________________________ Enterprise mailing list [email protected] https://mail.mozilla.org/listinfo/enterprise To unsubscribe from this list, please visit https://mail.mozilla.org/listinfo/enterprise or send an email to [email protected] with a subject of "unsubscribe" _______________________________________________ Enterprise mailing list [email protected] https://mail.mozilla.org/listinfo/enterprise To unsubscribe from this list, please visit https://mail.mozilla.org/listinfo/enterprise or send an email to [email protected] with a subject of "unsubscribe"
