Re: [Mozilla Enterprise] CAs already in Local Computer Cert Stores aren't accessed by Firefox.

2017-08-09 Thread David Keeler
On 08/09/2017 05:26 AM, Lance Spencer wrote:
> Thanks for the reply. I'm trying to understand the process better with
> FireFox and the Microsoft certificate stores, and this is helping.
> 
> I know my
> HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates
> registry key holds my "Root" certificates for the sites I'm going to. (This
> location also corresponds to the Certificates (Local Computer)\Trusted Root
> Certificates\Certificates container in certmgr.msc.)
> 
> I tried the setting " logging.pipnss":"Debug" and it didn't produce any
> output from "cmd.exe" or "Powershell".
> 
> So for my understanding, does the "security.enterprise_roots.enabled"
> setting only allow for pulling the "root" certs from the Microsoft cert
> stores? 

Correct - the implementation only imports trusted root certificates.

> We have another mechanism that populates the Microsoft Trusted Roots and
> Intermediate CAs containers with all our required Root & Intermediate CA
> certs. All of the CA certificates that Firefox would need to access would
> already be in the Microsoft certificate stores. As far as I am aware of,
> there is no ability for the site that is being accessed, to provide
> Intermediate CA certs during the TLS handshake.

The TLS specification requires that servers send a list of certificates
starting from the server's certificate and chaining to a trusted
self-signed root certificate (which may be omitted), so it's not
surprising you're running into compatibility issues by not including
intermediate certificates. See
https://tools.ietf.org/html/rfc5246#section-7.4.2 ("certificate_list")

Hope this helps,
David

> Will Firefox still only look at "Root" CA certs?
> 
> Sincerely,
> 
> Lance Spencer
> Juno Technologies
> lance.spen...@junotech.com
> Cell: (757)846-5834
> 
> 
> -Original Message-
> From: Enterprise [mailto:enterprise-boun...@mozilla.org] On Behalf Of David
> Keeler
> Sent: Tuesday, August 8, 2017 4:51 PM
> To: enterprise@mozilla.org
> Subject: Re: [Mozilla Enterprise] CAs already in Local Computer Cert Stores
> aren't accessed by Firefox.
> 
> Here are some things you could try:
> 
> * Add an about:config preference "logging.pipnss" with the string value
> "Debug". Then, set "security.enterprise_roots.enabled" to true and see what
> output you get in the console (not the browser console but an OS console -
> I'm not actually sure how to do this on Windows - run Firefox from
> powershell or cmd.exe?)
> 
> * Where are the certificates you're trying to use installed on Windows?
> Firefox examines CERT_SYSTEM_STORE_LOCAL_MACHINE,
> CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY, and
> CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE, which correspond to
> HKLM\SOFTWARE\Microsoft\SystemCertificates,
> HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates,
> and HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates,
> respectively.
> 
> * Are the servers you're trying to access sending the appropriate
> intermediate certificates? Firefox doesn't import intermediates via this
> mechanism - they must be sent in the TLS handshake.
> 
> Hope this helps,
> David
> 
> On 08/08/2017 12:02 PM, Lance Spencer wrote:
>> I've tried to review many blogs/forum strings that discuss getting 
>> Firefox to use the local computer certificates stores on Windows. I 
>> didn't want to bother this group with this issue unless I at least 
>> tried to figure some things out for myself. So far I have been 
>> unsuccessful to get this to work.
>>
>>  
>>
>> We use an executable that installs CA certs in the Trusted Root and 
>> Intermediate certificate local computer certificate stores on Window
>> 7/10 workstations, as well as 2008/2012/2016 servers. We have domains 
>> that have anywhere from 200 to 3000 computers that need CA 
>> certificates to be updated on a regular basis. If FireFox could use 
>> those same certs, it'd be a lot less complicated to update the Firefox 
>> settings to use the appropriate root & intermediate CA certs.
>>
>>  
>>
>> We would like to leverage the security.enterprise_roots.enabled 
>> setting to allow the Firefox browser to use the CA certificates we 
>> place in the local computer certificate stores.
>>
>>  
>>
>> I've tried configuring a Windows 7 (64-bit) machine with Firefox ESR 
>> 52.3, to use the local computer certificate stores.
>> security.enterprise_roots.enabled=true. I've then tried to browse to 
>> HTTPS sites that require our workstations to have the sup

Re: [Mozilla Enterprise] CAs already in Local Computer Cert Stores aren't accessed by Firefox.

2017-08-09 Thread Lance Spencer
I tested functionality today by importing the Intermediate CA certs for the
site I'm going to, and the intermediates for my smartcard certs, and access
to secure sites work okay.

Before I found out about the 'security.enterprise_roots.enable' setting, I
was trying to use the NSS certutil.exe in a script to import CA certs. I've
tried to configure my computer to compile the NSS certutil.exe, but I was
unsuccessful at creating that executable.

Is there a better process to import CA certs into Firefox, vice using the
NSS certutil.exe? Is there any automated function that will pull in the
Intermediate CA certs (that are already loaded in the local computer
'Intermediate Certification Authorities' certificate store on a Microsoft
computer), into Firefox?

Sincerely,

Lance Spencer

-Original Message-
From: Enterprise [mailto:enterprise-boun...@mozilla.org] On Behalf Of Lance
Spencer
Sent: Wednesday, August 9, 2017 9:14 AM
To: David Keeler <dkee...@mozilla.com>; enterprise@mozilla.org
Subject: Re: [Mozilla Enterprise] CAs already in Local Computer Cert Stores
aren't accessed by Firefox.

I cleared out all CA certificates that we use for our trust structure from
Firefox. One thing that seemed odd is I have 'Root' CA certs under "Your
Certificates" tab in the Certificate Manager.

I cleared the root certs out & left my personal smartcard certs in the "Your
Certificates" tab.

Closed Firefox out & reopened. 

I went back to the Certificate Manager & see that the Root CA certs are
again, in the "Your Certificates" tab.

Is this where the Root CA certs was supposed to be imported to in Firefox?

I would've thought the certs would be placed in the "Authorities" tab.

Sincerely,

Lance Spencer


-Original Message-
From: Lance Spencer
Sent: Wednesday, August 9, 2017 8:23 AM
To: 'David Keeler' <dkee...@mozilla.com>; enterprise@mozilla.org
Subject: RE: [Mozilla Enterprise] CAs already in Local Computer Cert Stores
aren't accessed by Firefox.

Thanks for the reply. I'm trying to understand the process better with
FireFox and the Microsoft certificate stores, and this is helping.

I know my
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates
registry key holds my "Root" certificates for the sites I'm going to. (This
location also corresponds to the Certificates (Local Computer)\Trusted Root
Certificates\Certificates container in certmgr.msc.)

I tried the setting " logging.pipnss":"Debug" and it didn't produce any
output from "cmd.exe" or "Powershell".

So for my understanding, does the "security.enterprise_roots.enabled"
setting only allow for pulling the "root" certs from the Microsoft cert
stores? 

We have another mechanism that populates the Microsoft Trusted Roots and
Intermediate CAs containers with all our required Root & Intermediate CA
certs. All of the CA certificates that Firefox would need to access would
already be in the Microsoft certificate stores. As far as I am aware of,
there is no ability for the site that is being accessed, to provide
Intermediate CA certs during the TLS handshake.

Will Firefox still only look at "Root" CA certs?

Sincerely,

Lance Spencer

-Original Message-
From: Enterprise [mailto:enterprise-boun...@mozilla.org] On Behalf Of David
Keeler
Sent: Tuesday, August 8, 2017 4:51 PM
To: enterprise@mozilla.org
Subject: Re: [Mozilla Enterprise] CAs already in Local Computer Cert Stores
aren't accessed by Firefox.

Here are some things you could try:

* Add an about:config preference "logging.pipnss" with the string value
"Debug". Then, set "security.enterprise_roots.enabled" to true and see what
output you get in the console (not the browser console but an OS console -
I'm not actually sure how to do this on Windows - run Firefox from
powershell or cmd.exe?)

* Where are the certificates you're trying to use installed on Windows?
Firefox examines CERT_SYSTEM_STORE_LOCAL_MACHINE,
CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY, and
CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE, which correspond to
HKLM\SOFTWARE\Microsoft\SystemCertificates,
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates,
and HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates,
respectively.

* Are the servers you're trying to access sending the appropriate
intermediate certificates? Firefox doesn't import intermediates via this
mechanism - they must be sent in the TLS handshake.

Hope this helps,
David

On 08/08/2017 12:02 PM, Lance Spencer wrote:
> I've tried to review many blogs/forum strings that discuss getting 
> Firefox to use the local computer certificates stores on Windows. I 
> didn't want to bother this group with this issue unless I at least 
> tried to figure some things out for myself. So far I have been 
> unsuccessful to get this to work.
> 

Re: [Mozilla Enterprise] CAs already in Local Computer Cert Stores aren't accessed by Firefox.

2017-08-09 Thread Lance Spencer
I cleared out all CA certificates that we use for our trust structure from
Firefox. One thing that seemed odd is I have 'Root' CA certs under "Your
Certificates" tab in the Certificate Manager.

I cleared the root certs out & left my personal smartcard certs in the "Your
Certificates" tab.

Closed Firefox out & reopened. 

I went back to the Certificate Manager & see that the Root CA certs are
again, in the "Your Certificates" tab.

Is this where the Root CA certs was supposed to be imported to in Firefox?

I would've thought the certs would be placed in the "Authorities" tab.

Sincerely,

Lance Spencer


-Original Message-
From: Lance Spencer 
Sent: Wednesday, August 9, 2017 8:23 AM
To: 'David Keeler' <dkee...@mozilla.com>; enterprise@mozilla.org
Subject: RE: [Mozilla Enterprise] CAs already in Local Computer Cert Stores
aren't accessed by Firefox.

Thanks for the reply. I'm trying to understand the process better with
FireFox and the Microsoft certificate stores, and this is helping.

I know my
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates
registry key holds my "Root" certificates for the sites I'm going to. (This
location also corresponds to the Certificates (Local Computer)\Trusted Root
Certificates\Certificates container in certmgr.msc.)

I tried the setting " logging.pipnss":"Debug" and it didn't produce any
output from "cmd.exe" or "Powershell".

So for my understanding, does the "security.enterprise_roots.enabled"
setting only allow for pulling the "root" certs from the Microsoft cert
stores? 

We have another mechanism that populates the Microsoft Trusted Roots and
Intermediate CAs containers with all our required Root & Intermediate CA
certs. All of the CA certificates that Firefox would need to access would
already be in the Microsoft certificate stores. As far as I am aware of,
there is no ability for the site that is being accessed, to provide
Intermediate CA certs during the TLS handshake.

Will Firefox still only look at "Root" CA certs?

Sincerely,

Lance Spencer

-Original Message-
From: Enterprise [mailto:enterprise-boun...@mozilla.org] On Behalf Of David
Keeler
Sent: Tuesday, August 8, 2017 4:51 PM
To: enterprise@mozilla.org
Subject: Re: [Mozilla Enterprise] CAs already in Local Computer Cert Stores
aren't accessed by Firefox.

Here are some things you could try:

* Add an about:config preference "logging.pipnss" with the string value
"Debug". Then, set "security.enterprise_roots.enabled" to true and see what
output you get in the console (not the browser console but an OS console -
I'm not actually sure how to do this on Windows - run Firefox from
powershell or cmd.exe?)

* Where are the certificates you're trying to use installed on Windows?
Firefox examines CERT_SYSTEM_STORE_LOCAL_MACHINE,
CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY, and
CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE, which correspond to
HKLM\SOFTWARE\Microsoft\SystemCertificates,
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates,
and HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates,
respectively.

* Are the servers you're trying to access sending the appropriate
intermediate certificates? Firefox doesn't import intermediates via this
mechanism - they must be sent in the TLS handshake.

Hope this helps,
David

On 08/08/2017 12:02 PM, Lance Spencer wrote:
> I've tried to review many blogs/forum strings that discuss getting 
> Firefox to use the local computer certificates stores on Windows. I 
> didn't want to bother this group with this issue unless I at least 
> tried to figure some things out for myself. So far I have been 
> unsuccessful to get this to work.
> 
>  
> 
> We use an executable that installs CA certs in the Trusted Root and 
> Intermediate certificate local computer certificate stores on Window
> 7/10 workstations, as well as 2008/2012/2016 servers. We have domains 
> that have anywhere from 200 to 3000 computers that need CA 
> certificates to be updated on a regular basis. If FireFox could use 
> those same certs, it'd be a lot less complicated to update the Firefox 
> settings to use the appropriate root & intermediate CA certs.
> 
>  
> 
> We would like to leverage the security.enterprise_roots.enabled 
> setting to allow the Firefox browser to use the CA certificates we 
> place in the local computer certificate stores.
> 
>  
> 
> I've tried configuring a Windows 7 (64-bit) machine with Firefox ESR 
> 52.3, to use the local computer certificate stores.
> security.enterprise_roots.enabled=true. I've then tried to browse to 
> HTTPS sites that require our workstations to have the supporting CAs 
> installed, before the website is presented. So far, I've been unable