Here are some things you could try:

* Add an about:config preference "logging.pipnss" with the string value
"Debug". Then, set "security.enterprise_roots.enabled" to true and see
what output you get in the console (not the browser console but an OS
console - I'm not actually sure how to do this on Windows - run Firefox
from powershell or cmd.exe?)

* Where are the certificates you're trying to use installed on Windows?
Firefox examines CERT_SYSTEM_STORE_LOCAL_MACHINE,
CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY, and
CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE, which correspond to
HKLM\SOFTWARE\Microsoft\SystemCertificates,
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates,
and HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates,
respectively.

* Are the servers you're trying to access sending the appropriate
intermediate certificates? Firefox doesn't import intermediates via this
mechanism - they must be sent in the TLS handshake.

Hope this helps,
David

On 08/08/2017 12:02 PM, Lance Spencer wrote:
> I’ve tried to review many blogs/forum strings that discuss getting
> Firefox to use the local computer certificates stores on Windows. I
> didn’t want to bother this group with this issue unless I at least tried
> to figure some things out for myself. So far I have been unsuccessful to
> get this to work.
> 
>  
> 
> We use an executable that installs CA certs in the Trusted Root and
> Intermediate certificate local computer certificate stores on Window
> 7/10 workstations, as well as 2008/2012/2016 servers. We have domains
> that have anywhere from 200 to 3000 computers that need CA certificates
> to be updated on a regular basis. If FireFox could use those same certs,
> it’d be a lot less complicated to update the Firefox settings to use the
> appropriate root & intermediate CA certs.
> 
>  
> 
> We would like to leverage the security.enterprise_roots.enabled setting
> to allow the Firefox browser to use the CA certificates we place in the
> local computer certificate stores.
> 
>  
> 
> I’ve tried configuring a Windows 7 (64-bit) machine with Firefox ESR
> 52.3, to use the local computer certificate stores.
> security.enterprise_roots.enabled=true. I’ve then tried to browse to
> HTTPS sites that require our workstations to have the supporting CAs
> installed, before the website is presented. So far, I’ve been unable to
> get this to work. Is there some setting/configuration that I may be
> overlooking, which is causing Firefox to not use the local computer
> certificate stores? I’ve also tried doing the same on my work laptop &
> get the same results. (using FireFox 55.0 (32-bit))
> 
>  
> 
> If I manually load the root and intermediate certificates into Firefox
> on a workstation, I’m able to access the secure websites.
> 
>  
> 
> Any assistance would be greatly appreciated to get this option to work.
> 
>  
> 
> Sincerely,
> 
>  
> 
> Lance Spencer
> 
> 
> 
> _______________________________________________
> Enterprise mailing list
> Enterprise@mozilla.org
> https://mail.mozilla.org/listinfo/enterprise
> 
> To unsubscribe from this list, please visit 
> https://mail.mozilla.org/listinfo/enterprise or send an email to 
> enterprise-requ...@mozilla.org with a subject of "unsubscribe"
> 

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Enterprise mailing list
Enterprise@mozilla.org
https://mail.mozilla.org/listinfo/enterprise

To unsubscribe from this list, please visit 
https://mail.mozilla.org/listinfo/enterprise or send an email to 
enterprise-requ...@mozilla.org with a subject of "unsubscribe"

Reply via email to