Have the certs expired yet? The way we keep from installing the same cert twice is that we check to see if the old cert is trusted:
https://searchfox.org/mozilla-central/source/browser/components/enterprisepolicies/Policies.jsm#333 I think that's what you're running into... We don't currently have a way to uninstall certificates. Mike On Thu, Mar 4, 2021 at 4:58 PM Hoang (US), Victor T < victor.t.ho...@boeing.com> wrote: > Hello all, > > > > I had a certificate expire. Trying to update it and I’m using the > policy.json file with the Install feature instead of ImportEnterpriseRoots > so that I can be OS Agnostic. Example: > > > > "Certificates": { > > "Install": ["C:\\Program Files\\Mozilla Firefox\\certs\\cert1.crt", > "C:\\Program Files\\Mozilla Firefox\\certs\\cert2.cer] > > } > > > > I tried updating my certificate by giving it the same name and file path, > however, I don’t think the policy json knows to pull the new certificate > due to the certificate having the same name. I was able to update the > certificate only by: > > - Creating a new profile (in this case, it keeps the old one, and > writes the new one as well, even with the same name) > - Manually adding the new one in. (also keeps the old one, and > installs the new one so they both exist) > > > > My company has the same certificates in the Windows certificate Store, so > I tested switching over to using "ImportEnterpriseRoots":True, but the > problem is if you already loaded the certs with the Install method I listed > above, Firefox doesn’t seem to switch over to ImportEnterpriseRoots > probably because the old certificates are already existing in the local > store on the browser and keeps using that expired one instead of checking > the windows store for new ones. It does however, work on a clean install > because the profile isn’t loaded yet and the certificates aren’t installed > yet so ImportEnterpriseRoots becomes the default. > > > > Does anyone have any recommendations on updating the cert file without > changing its name? Or perhaps even how to switch from using Install policy > to ImportEnterpriseRoots policy for certificates? It sounds like the > easiest work around might be to just include another Install line and > renaming the newer certificate. The downside to this is that the expired > certificate will still exist in the browser certificate store. Which leads > me to wonder, is there a policy that removes older certificates from the > local browser store? I could see this getting messy for older certificates > over time. > > > > Grateful for any suggestions! > > > > Thanks all, > > > > Victor Hoang > > > _______________________________________________ > Enterprise mailing list > Enterprise@mozilla.org > https://mail.mozilla.org/listinfo/enterprise > > To unsubscribe from this list, please visit > https://mail.mozilla.org/listinfo/enterprise or send an email to > enterprise-requ...@mozilla.org with a subject of "unsubscribe" >
_______________________________________________ Enterprise mailing list Enterprise@mozilla.org https://mail.mozilla.org/listinfo/enterprise To unsubscribe from this list, please visit https://mail.mozilla.org/listinfo/enterprise or send an email to enterprise-requ...@mozilla.org with a subject of "unsubscribe"
