Hi Eric, As David just said: the HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates location is only used as "trusted" by FF (if security.enterprise_roots.enabled=true) as of version 52. So it's a known issue that this doesn't work in FF 49. If you're using FF 49, the location HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates should work, if the security.enterprise_roots.enabled option is set to true (if that doesn't work, please double-check that your cert is correctly placed in the registry, and that the option is correctly set -- other people have reported that it works).
The question of the different registry keys was recently discussed in another mail thread on this list [1]. See also bugzilla issue 1289865 [2], which is about the missing registry keys. So for the other registry location I guess you'll have to wait for FF 52, which seems to have an expected release date of 2017-03-07 [3] (or you can test it in an early access version). [1] https://mail.mozilla.org/private/enterprise/2016-September/007059.html and continuation in https://mail.mozilla.org/private/enterprise/2016-October/007120.html [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1289865 [3] https://wiki.mozilla.org/RapidRelease/Calendar -- Johan On Wed, Nov 9, 2016 at 6:20 PM, <[email protected]> wrote: > Thank you David, > > When can we expect this feature to arrive in ESR? > > Despite having set security.enterprise_roots.enabled to true in > about:config, procmon reported that firefox.exe 49.0.2 never queries the > registry key > "HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates" > > However, if I set it using mozilla.cfg as a locked preference, firefox.exe > does query this key during startup although a site signed by corresponding > ca in > "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates" > was identified as not trusted. > > I am not impressed by the response from mozilla developers to any of my > previous bug submissions (especially the MSI package request) so I will not > post a bug regarding this promising but broken feature. > > Here is to hoping that Mozilla and this feature continue to improve. > >>Hi Eric, >> >>The wiki was slightly out of date and didn't specify the actual registry >>locations searched, so I updated it. >> >>In any case, it turns out that's not a location that's supported. >>Firefox 49 searches HKLM\SOFTWARE\Microsoft\SystemCertificates and >>Firefox 52 was updated to search >>HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates >>and HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates as >>well. (The feature isn't available in ESR 45 at all.) >> >>Hope this helps, >>David >> >>On 11/08/2016 11:03 AM, [email protected] wrote: >>> Regarding https://wiki.mozilla.org/CA:AddRootToFirefox "Experimental >>> Built-in Windows Support" >>> >>> I have tried setting "security.enterprise_roots.enabled" to truebut a >>> site signed by the cert in >>> >>> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates >>> is failing to be recognized as secure. >>> >>> I have tried both ESR 45.4.0 and standard 49.0.2, toggling it on, off >>> and on and restarting multiple times. Can anyone else confirm that it is >>> working for them? >>> >>> >>> _______________________________________________ >>> Enterprise mailing list >>> [email protected] >>> https://mail.mozilla.org/listinfo/enterprise >>> >>> To unsubscribe from this list, please visit >>> https://mail.mozilla.org/listinfo/enterprise or send an email to >>> [email protected] with a subject of "unsubscribe" >>> > > _______________________________________________ > Enterprise mailing list > [email protected] > https://mail.mozilla.org/listinfo/enterprise > > To unsubscribe from this list, please visit > https://mail.mozilla.org/listinfo/enterprise or send an email to > [email protected] with a subject of "unsubscribe" _______________________________________________ Enterprise mailing list [email protected] https://mail.mozilla.org/listinfo/enterprise To unsubscribe from this list, please visit https://mail.mozilla.org/listinfo/enterprise or send an email to [email protected] with a subject of "unsubscribe"
