Re: [Mozilla Enterprise] CAs already in Local Computer Cert Stores aren't accessed by Firefox.
I tested functionality today by importing the Intermediate CA certs for the site I'm going to, and the intermediates for my smartcard certs, and access to secure sites work okay. Before I found out about the 'security.enterprise_roots.enable' setting, I was trying to use the NSS certutil.exe in a script to import CA certs. I've tried to configure my computer to compile the NSS certutil.exe, but I was unsuccessful at creating that executable. Is there a better process to import CA certs into Firefox, vice using the NSS certutil.exe? Is there any automated function that will pull in the Intermediate CA certs (that are already loaded in the local computer 'Intermediate Certification Authorities' certificate store on a Microsoft computer), into Firefox? Sincerely, Lance Spencer -Original Message- From: Enterprise [mailto:enterprise-boun...@mozilla.org] On Behalf Of Lance Spencer Sent: Wednesday, August 9, 2017 9:14 AM To: David Keeler <dkee...@mozilla.com>; enterprise@mozilla.org Subject: Re: [Mozilla Enterprise] CAs already in Local Computer Cert Stores aren't accessed by Firefox. I cleared out all CA certificates that we use for our trust structure from Firefox. One thing that seemed odd is I have 'Root' CA certs under "Your Certificates" tab in the Certificate Manager. I cleared the root certs out & left my personal smartcard certs in the "Your Certificates" tab. Closed Firefox out & reopened. I went back to the Certificate Manager & see that the Root CA certs are again, in the "Your Certificates" tab. Is this where the Root CA certs was supposed to be imported to in Firefox? I would've thought the certs would be placed in the "Authorities" tab. Sincerely, Lance Spencer -Original Message- From: Lance Spencer Sent: Wednesday, August 9, 2017 8:23 AM To: 'David Keeler' <dkee...@mozilla.com>; enterprise@mozilla.org Subject: RE: [Mozilla Enterprise] CAs already in Local Computer Cert Stores aren't accessed by Firefox. Thanks for the reply. I'm trying to understand the process better with FireFox and the Microsoft certificate stores, and this is helping. I know my HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates registry key holds my "Root" certificates for the sites I'm going to. (This location also corresponds to the Certificates (Local Computer)\Trusted Root Certificates\Certificates container in certmgr.msc.) I tried the setting " logging.pipnss":"Debug" and it didn't produce any output from "cmd.exe" or "Powershell". So for my understanding, does the "security.enterprise_roots.enabled" setting only allow for pulling the "root" certs from the Microsoft cert stores? We have another mechanism that populates the Microsoft Trusted Roots and Intermediate CAs containers with all our required Root & Intermediate CA certs. All of the CA certificates that Firefox would need to access would already be in the Microsoft certificate stores. As far as I am aware of, there is no ability for the site that is being accessed, to provide Intermediate CA certs during the TLS handshake. Will Firefox still only look at "Root" CA certs? Sincerely, Lance Spencer -Original Message- From: Enterprise [mailto:enterprise-boun...@mozilla.org] On Behalf Of David Keeler Sent: Tuesday, August 8, 2017 4:51 PM To: enterprise@mozilla.org Subject: Re: [Mozilla Enterprise] CAs already in Local Computer Cert Stores aren't accessed by Firefox. Here are some things you could try: * Add an about:config preference "logging.pipnss" with the string value "Debug". Then, set "security.enterprise_roots.enabled" to true and see what output you get in the console (not the browser console but an OS console - I'm not actually sure how to do this on Windows - run Firefox from powershell or cmd.exe?) * Where are the certificates you're trying to use installed on Windows? Firefox examines CERT_SYSTEM_STORE_LOCAL_MACHINE, CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY, and CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE, which correspond to HKLM\SOFTWARE\Microsoft\SystemCertificates, HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates, and HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates, respectively. * Are the servers you're trying to access sending the appropriate intermediate certificates? Firefox doesn't import intermediates via this mechanism - they must be sent in the TLS handshake. Hope this helps, David On 08/08/2017 12:02 PM, Lance Spencer wrote: > I've tried to review many blogs/forum strings that discuss getting > Firefox to use the local computer certificates stores on Windows. I > didn't want to bother this group with this issue unless I at least > tried to figure some things out for myself. So far I have been > unsuccessful to get this to work. >
Re: [Mozilla Enterprise] CAs already in Local Computer Cert Stores aren't accessed by Firefox.
I cleared out all CA certificates that we use for our trust structure from Firefox. One thing that seemed odd is I have 'Root' CA certs under "Your Certificates" tab in the Certificate Manager. I cleared the root certs out & left my personal smartcard certs in the "Your Certificates" tab. Closed Firefox out & reopened. I went back to the Certificate Manager & see that the Root CA certs are again, in the "Your Certificates" tab. Is this where the Root CA certs was supposed to be imported to in Firefox? I would've thought the certs would be placed in the "Authorities" tab. Sincerely, Lance Spencer -Original Message- From: Lance Spencer Sent: Wednesday, August 9, 2017 8:23 AM To: 'David Keeler' <dkee...@mozilla.com>; enterprise@mozilla.org Subject: RE: [Mozilla Enterprise] CAs already in Local Computer Cert Stores aren't accessed by Firefox. Thanks for the reply. I'm trying to understand the process better with FireFox and the Microsoft certificate stores, and this is helping. I know my HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates registry key holds my "Root" certificates for the sites I'm going to. (This location also corresponds to the Certificates (Local Computer)\Trusted Root Certificates\Certificates container in certmgr.msc.) I tried the setting " logging.pipnss":"Debug" and it didn't produce any output from "cmd.exe" or "Powershell". So for my understanding, does the "security.enterprise_roots.enabled" setting only allow for pulling the "root" certs from the Microsoft cert stores? We have another mechanism that populates the Microsoft Trusted Roots and Intermediate CAs containers with all our required Root & Intermediate CA certs. All of the CA certificates that Firefox would need to access would already be in the Microsoft certificate stores. As far as I am aware of, there is no ability for the site that is being accessed, to provide Intermediate CA certs during the TLS handshake. Will Firefox still only look at "Root" CA certs? Sincerely, Lance Spencer -Original Message- From: Enterprise [mailto:enterprise-boun...@mozilla.org] On Behalf Of David Keeler Sent: Tuesday, August 8, 2017 4:51 PM To: enterprise@mozilla.org Subject: Re: [Mozilla Enterprise] CAs already in Local Computer Cert Stores aren't accessed by Firefox. Here are some things you could try: * Add an about:config preference "logging.pipnss" with the string value "Debug". Then, set "security.enterprise_roots.enabled" to true and see what output you get in the console (not the browser console but an OS console - I'm not actually sure how to do this on Windows - run Firefox from powershell or cmd.exe?) * Where are the certificates you're trying to use installed on Windows? Firefox examines CERT_SYSTEM_STORE_LOCAL_MACHINE, CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY, and CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE, which correspond to HKLM\SOFTWARE\Microsoft\SystemCertificates, HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates, and HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates, respectively. * Are the servers you're trying to access sending the appropriate intermediate certificates? Firefox doesn't import intermediates via this mechanism - they must be sent in the TLS handshake. Hope this helps, David On 08/08/2017 12:02 PM, Lance Spencer wrote: > I've tried to review many blogs/forum strings that discuss getting > Firefox to use the local computer certificates stores on Windows. I > didn't want to bother this group with this issue unless I at least > tried to figure some things out for myself. So far I have been > unsuccessful to get this to work. > > > > We use an executable that installs CA certs in the Trusted Root and > Intermediate certificate local computer certificate stores on Window > 7/10 workstations, as well as 2008/2012/2016 servers. We have domains > that have anywhere from 200 to 3000 computers that need CA > certificates to be updated on a regular basis. If FireFox could use > those same certs, it'd be a lot less complicated to update the Firefox > settings to use the appropriate root & intermediate CA certs. > > > > We would like to leverage the security.enterprise_roots.enabled > setting to allow the Firefox browser to use the CA certificates we > place in the local computer certificate stores. > > > > I've tried configuring a Windows 7 (64-bit) machine with Firefox ESR > 52.3, to use the local computer certificate stores. > security.enterprise_roots.enabled=true. I've then tried to browse to > HTTPS sites that require our workstations to have the supporting CAs > installed, before the website is presented. So far, I've been unable