I tested functionality today by importing the Intermediate CA certs for the
site I'm going to, and the intermediates for my smartcard certs, and access
to secure sites work okay.

Before I found out about the 'security.enterprise_roots.enable' setting, I
was trying to use the NSS certutil.exe in a script to import CA certs. I've
tried to configure my computer to compile the NSS certutil.exe, but I was
unsuccessful at creating that executable.

Is there a better process to import CA certs into Firefox, vice using the
NSS certutil.exe? Is there any automated function that will pull in the
Intermediate CA certs (that are already loaded in the local computer
'Intermediate Certification Authorities' certificate store on a Microsoft
computer), into Firefox?

Sincerely,

Lance Spencer

-----Original Message-----
From: Enterprise [mailto:enterprise-boun...@mozilla.org] On Behalf Of Lance
Spencer
Sent: Wednesday, August 9, 2017 9:14 AM
To: David Keeler <dkee...@mozilla.com>; enterprise@mozilla.org
Subject: Re: [Mozilla Enterprise] CAs already in Local Computer Cert Stores
aren't accessed by Firefox.

I cleared out all CA certificates that we use for our trust structure from
Firefox. One thing that seemed odd is I have 'Root' CA certs under "Your
Certificates" tab in the Certificate Manager.

I cleared the root certs out & left my personal smartcard certs in the "Your
Certificates" tab.

Closed Firefox out & reopened. 

I went back to the Certificate Manager & see that the Root CA certs are
again, in the "Your Certificates" tab.

Is this where the Root CA certs was supposed to be imported to in Firefox?

I would've thought the certs would be placed in the "Authorities" tab.

Sincerely,

Lance Spencer


-----Original Message-----
From: Lance Spencer
Sent: Wednesday, August 9, 2017 8:23 AM
To: 'David Keeler' <dkee...@mozilla.com>; enterprise@mozilla.org
Subject: RE: [Mozilla Enterprise] CAs already in Local Computer Cert Stores
aren't accessed by Firefox.

Thanks for the reply. I'm trying to understand the process better with
FireFox and the Microsoft certificate stores, and this is helping.

I know my
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates
registry key holds my "Root" certificates for the sites I'm going to. (This
location also corresponds to the Certificates (Local Computer)\Trusted Root
Certificates\Certificates container in certmgr.msc.)

I tried the setting " logging.pipnss":"Debug" and it didn't produce any
output from "cmd.exe" or "Powershell".

So for my understanding, does the "security.enterprise_roots.enabled"
setting only allow for pulling the "root" certs from the Microsoft cert
stores? 

We have another mechanism that populates the Microsoft Trusted Roots and
Intermediate CAs containers with all our required Root & Intermediate CA
certs. All of the CA certificates that Firefox would need to access would
already be in the Microsoft certificate stores. As far as I am aware of,
there is no ability for the site that is being accessed, to provide
Intermediate CA certs during the TLS handshake.

Will Firefox still only look at "Root" CA certs?

Sincerely,

Lance Spencer

-----Original Message-----
From: Enterprise [mailto:enterprise-boun...@mozilla.org] On Behalf Of David
Keeler
Sent: Tuesday, August 8, 2017 4:51 PM
To: enterprise@mozilla.org
Subject: Re: [Mozilla Enterprise] CAs already in Local Computer Cert Stores
aren't accessed by Firefox.

Here are some things you could try:

* Add an about:config preference "logging.pipnss" with the string value
"Debug". Then, set "security.enterprise_roots.enabled" to true and see what
output you get in the console (not the browser console but an OS console -
I'm not actually sure how to do this on Windows - run Firefox from
powershell or cmd.exe?)

* Where are the certificates you're trying to use installed on Windows?
Firefox examines CERT_SYSTEM_STORE_LOCAL_MACHINE,
CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY, and
CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE, which correspond to
HKLM\SOFTWARE\Microsoft\SystemCertificates,
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates,
and HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates,
respectively.

* Are the servers you're trying to access sending the appropriate
intermediate certificates? Firefox doesn't import intermediates via this
mechanism - they must be sent in the TLS handshake.

Hope this helps,
David

On 08/08/2017 12:02 PM, Lance Spencer wrote:
> I've tried to review many blogs/forum strings that discuss getting 
> Firefox to use the local computer certificates stores on Windows. I 
> didn't want to bother this group with this issue unless I at least 
> tried to figure some things out for myself. So far I have been 
> unsuccessful to get this to work.
> 
>  
> 
> We use an executable that installs CA certs in the Trusted Root and 
> Intermediate certificate local computer certificate stores on Window
> 7/10 workstations, as well as 2008/2012/2016 servers. We have domains 
> that have anywhere from 200 to 3000 computers that need CA 
> certificates to be updated on a regular basis. If FireFox could use 
> those same certs, it'd be a lot less complicated to update the Firefox 
> settings to use the appropriate root & intermediate CA certs.
> 
>  
> 
> We would like to leverage the security.enterprise_roots.enabled 
> setting to allow the Firefox browser to use the CA certificates we 
> place in the local computer certificate stores.
> 
>  
> 
> I've tried configuring a Windows 7 (64-bit) machine with Firefox ESR 
> 52.3, to use the local computer certificate stores.
> security.enterprise_roots.enabled=true. I've then tried to browse to 
> HTTPS sites that require our workstations to have the supporting CAs 
> installed, before the website is presented. So far, I've been unable 
> to get this to work. Is there some setting/configuration that I may be 
> overlooking, which is causing Firefox to not use the local computer 
> certificate stores? I've also tried doing the same on my work laptop & 
> get the same results. (using FireFox 55.0 (32-bit))
> 
>  
> 
> If I manually load the root and intermediate certificates into Firefox 
> on a workstation, I'm able to access the secure websites.
> 
>  
> 
> Any assistance would be greatly appreciated to get this option to work.
> 
>  
> 
> Sincerely,
> 
>  
> 
> Lance Spencer
> 
> 
> 
> _______________________________________________
> Enterprise mailing list
> Enterprise@mozilla.org
> https://mail.mozilla.org/listinfo/enterprise
> 
> To unsubscribe from this list, please visit
https://mail.mozilla.org/listinfo/enterprise or send an email to
enterprise-requ...@mozilla.org with a subject of "unsubscribe"
> 

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Enterprise mailing list
Enterprise@mozilla.org
https://mail.mozilla.org/listinfo/enterprise

To unsubscribe from this list, please visit 
https://mail.mozilla.org/listinfo/enterprise or send an email to 
enterprise-requ...@mozilla.org with a subject of "unsubscribe"

Reply via email to