Thanks for the reply. I'm trying to understand the process better with
FireFox and the Microsoft certificate stores, and this is helping.

I know my
registry key holds my "Root" certificates for the sites I'm going to. (This
location also corresponds to the Certificates (Local Computer)\Trusted Root
Certificates\Certificates container in certmgr.msc.)

I tried the setting " logging.pipnss":"Debug" and it didn't produce any
output from "cmd.exe" or "Powershell".

So for my understanding, does the "security.enterprise_roots.enabled"
setting only allow for pulling the "root" certs from the Microsoft cert

We have another mechanism that populates the Microsoft Trusted Roots and
Intermediate CAs containers with all our required Root & Intermediate CA
certs. All of the CA certificates that Firefox would need to access would
already be in the Microsoft certificate stores. As far as I am aware of,
there is no ability for the site that is being accessed, to provide
Intermediate CA certs during the TLS handshake.

Will Firefox still only look at "Root" CA certs?


Lance Spencer
Juno Technologies
Cell: (757)846-5834

-----Original Message-----
From: Enterprise [] On Behalf Of David
Sent: Tuesday, August 8, 2017 4:51 PM
Subject: Re: [Mozilla Enterprise] CAs already in Local Computer Cert Stores
aren't accessed by Firefox.

Here are some things you could try:

* Add an about:config preference "logging.pipnss" with the string value
"Debug". Then, set "security.enterprise_roots.enabled" to true and see what
output you get in the console (not the browser console but an OS console -
I'm not actually sure how to do this on Windows - run Firefox from
powershell or cmd.exe?)

* Where are the certificates you're trying to use installed on Windows?
and HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates,

* Are the servers you're trying to access sending the appropriate
intermediate certificates? Firefox doesn't import intermediates via this
mechanism - they must be sent in the TLS handshake.

Hope this helps,

On 08/08/2017 12:02 PM, Lance Spencer wrote:
> I've tried to review many blogs/forum strings that discuss getting 
> Firefox to use the local computer certificates stores on Windows. I 
> didn't want to bother this group with this issue unless I at least 
> tried to figure some things out for myself. So far I have been 
> unsuccessful to get this to work.
> We use an executable that installs CA certs in the Trusted Root and 
> Intermediate certificate local computer certificate stores on Window
> 7/10 workstations, as well as 2008/2012/2016 servers. We have domains 
> that have anywhere from 200 to 3000 computers that need CA 
> certificates to be updated on a regular basis. If FireFox could use 
> those same certs, it'd be a lot less complicated to update the Firefox 
> settings to use the appropriate root & intermediate CA certs.
> We would like to leverage the security.enterprise_roots.enabled 
> setting to allow the Firefox browser to use the CA certificates we 
> place in the local computer certificate stores.
> I've tried configuring a Windows 7 (64-bit) machine with Firefox ESR 
> 52.3, to use the local computer certificate stores.
> security.enterprise_roots.enabled=true. I've then tried to browse to 
> HTTPS sites that require our workstations to have the supporting CAs 
> installed, before the website is presented. So far, I've been unable 
> to get this to work. Is there some setting/configuration that I may be 
> overlooking, which is causing Firefox to not use the local computer 
> certificate stores? I've also tried doing the same on my work laptop & 
> get the same results. (using FireFox 55.0 (32-bit))
> If I manually load the root and intermediate certificates into Firefox 
> on a workstation, I'm able to access the secure websites.
> Any assistance would be greatly appreciated to get this option to work.
> Sincerely,
> Lance Spencer
> _______________________________________________
> Enterprise mailing list
> To unsubscribe from this list, please visit or send an email to with a subject of "unsubscribe"

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Enterprise mailing list

To unsubscribe from this list, please visit or send an email to with a subject of "unsubscribe"

Reply via email to