On 08/09/2017 05:26 AM, Lance Spencer wrote:
> Thanks for the reply. I'm trying to understand the process better with
> FireFox and the Microsoft certificate stores, and this is helping.
> 
> I know my
> HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates
> registry key holds my "Root" certificates for the sites I'm going to. (This
> location also corresponds to the Certificates (Local Computer)\Trusted Root
> Certificates\Certificates container in certmgr.msc.)
> 
> I tried the setting " logging.pipnss":"Debug" and it didn't produce any
> output from "cmd.exe" or "Powershell".
> 
> So for my understanding, does the "security.enterprise_roots.enabled"
> setting only allow for pulling the "root" certs from the Microsoft cert
> stores? 

Correct - the implementation only imports trusted root certificates.

> We have another mechanism that populates the Microsoft Trusted Roots and
> Intermediate CAs containers with all our required Root & Intermediate CA
> certs. All of the CA certificates that Firefox would need to access would
> already be in the Microsoft certificate stores. As far as I am aware of,
> there is no ability for the site that is being accessed, to provide
> Intermediate CA certs during the TLS handshake.

The TLS specification requires that servers send a list of certificates
starting from the server's certificate and chaining to a trusted
self-signed root certificate (which may be omitted), so it's not
surprising you're running into compatibility issues by not including
intermediate certificates. See
https://tools.ietf.org/html/rfc5246#section-7.4.2 ("certificate_list")

Hope this helps,
David

> Will Firefox still only look at "Root" CA certs?
> 
> Sincerely,
> 
> Lance Spencer
> Juno Technologies
> lance.spen...@junotech.com
> Cell: (757)846-5834
> 
> 
> -----Original Message-----
> From: Enterprise [mailto:enterprise-boun...@mozilla.org] On Behalf Of David
> Keeler
> Sent: Tuesday, August 8, 2017 4:51 PM
> To: enterprise@mozilla.org
> Subject: Re: [Mozilla Enterprise] CAs already in Local Computer Cert Stores
> aren't accessed by Firefox.
> 
> Here are some things you could try:
> 
> * Add an about:config preference "logging.pipnss" with the string value
> "Debug". Then, set "security.enterprise_roots.enabled" to true and see what
> output you get in the console (not the browser console but an OS console -
> I'm not actually sure how to do this on Windows - run Firefox from
> powershell or cmd.exe?)
> 
> * Where are the certificates you're trying to use installed on Windows?
> Firefox examines CERT_SYSTEM_STORE_LOCAL_MACHINE,
> CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY, and
> CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE, which correspond to
> HKLM\SOFTWARE\Microsoft\SystemCertificates,
> HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates,
> and HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates,
> respectively.
> 
> * Are the servers you're trying to access sending the appropriate
> intermediate certificates? Firefox doesn't import intermediates via this
> mechanism - they must be sent in the TLS handshake.
> 
> Hope this helps,
> David
> 
> On 08/08/2017 12:02 PM, Lance Spencer wrote:
>> I've tried to review many blogs/forum strings that discuss getting 
>> Firefox to use the local computer certificates stores on Windows. I 
>> didn't want to bother this group with this issue unless I at least 
>> tried to figure some things out for myself. So far I have been 
>> unsuccessful to get this to work.
>>
>>  
>>
>> We use an executable that installs CA certs in the Trusted Root and 
>> Intermediate certificate local computer certificate stores on Window
>> 7/10 workstations, as well as 2008/2012/2016 servers. We have domains 
>> that have anywhere from 200 to 3000 computers that need CA 
>> certificates to be updated on a regular basis. If FireFox could use 
>> those same certs, it'd be a lot less complicated to update the Firefox 
>> settings to use the appropriate root & intermediate CA certs.
>>
>>  
>>
>> We would like to leverage the security.enterprise_roots.enabled 
>> setting to allow the Firefox browser to use the CA certificates we 
>> place in the local computer certificate stores.
>>
>>  
>>
>> I've tried configuring a Windows 7 (64-bit) machine with Firefox ESR 
>> 52.3, to use the local computer certificate stores.
>> security.enterprise_roots.enabled=true. I've then tried to browse to 
>> HTTPS sites that require our workstations to have the supporting CAs 
>> installed, before the website is presented. So far, I've been unable 
>> to get this to work. Is there some setting/configuration that I may be 
>> overlooking, which is causing Firefox to not use the local computer 
>> certificate stores? I've also tried doing the same on my work laptop & 
>> get the same results. (using FireFox 55.0 (32-bit))
>>
>>  
>>
>> If I manually load the root and intermediate certificates into Firefox 
>> on a workstation, I'm able to access the secure websites.
>>
>>  
>>
>> Any assistance would be greatly appreciated to get this option to work.
>>
>>  
>>
>> Sincerely,
>>
>>  
>>
>> Lance Spencer
>>
>>
>>
>> _______________________________________________
>> Enterprise mailing list
>> Enterprise@mozilla.org
>> https://mail.mozilla.org/listinfo/enterprise
>>
>> To unsubscribe from this list, please visit
> https://mail.mozilla.org/listinfo/enterprise or send an email to
> enterprise-requ...@mozilla.org with a subject of "unsubscribe"
>>
> 

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Enterprise mailing list
Enterprise@mozilla.org
https://mail.mozilla.org/listinfo/enterprise

To unsubscribe from this list, please visit 
https://mail.mozilla.org/listinfo/enterprise or send an email to 
enterprise-requ...@mozilla.org with a subject of "unsubscribe"

Reply via email to