How to make Firefox trust system CA certificates?
Since Firefox 49 there is some support for Windows CA certificates and support for Active Directory provided enterprise root certificates since Firefox 52. It is also supported in macOS to read from the Keychain since version 63.
Since Firefox 68 this feature is enabled by default in the ESR (enterprise) version, but not in the (standard) rapid release.
You can enable this feature for Windows and macOS in about:config
by creating this boolean value:
security.enterprise_roots.enabled
and set it to true
.
For GNU/Linux, this is usually managed by p11-kit-trust and no flag is needed.
Deploying the configuration system wide
Since Firefox 64, there is a new and recommended way by using policies, documented at https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox
For legacy versions, the Firefox installation folder can be retrieved from Windows registry, then go to defaults\pref\
subdirectory and create a new file with the following:
/* Allows Firefox reading Windows certificates */
pref("security.enterprise_roots.enabled", true);
Save it with .js
extension, e.g. trustwincerts.js
and restart Firefox. The entry will appear in about:config
for all users.
Deploying Windows Certificates system wide
In Firefox from 49 until 51, it only supports the "Root" store. Since Firefox 52, it supports other stores, including those added from domain via AD.
This is a bit out of scope but explains which was the only certificate store supported by Firefox for versions 49 to 51 or just for local testing. Because this deploys for all local machine users, it requires Administrator privileges in your CMD/PowerShell window or in your own automated deployment script.:
certutil -addstore Root path\to\cafile.pem
This may also be done from the Management Console by clicking a lot of windows if you prefer the mouse way (How to: View Certificates with the MMC Snap-In).
Have you considered deploying those certificates to Firefox as well as to the Windows cert store?
https://wiki.mozilla.org/CA:AddRootToFirefox details a few options:
- Modify the certificate database directly using
certutil
. -
Use Firefox's autoconfig feature, by placing a javascript file alongside the binary, to add the certificates:
var certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB); var certdb2 = certdb; try { certdb2 = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB2); } catch (e) {} cert = "MIIHPT...zTMVD"; // This should be the certificate content with no line breaks at all. certdb2.addCertFromBase64(cert, "C,C,C", "");
- Distribute the certificate database files directly.
- Package Firefox for installation, including the certificates in your distribution.
- Use CCK2 to create an extension that adds the certificates.
There isn't a good way handle forcing the use of the system store, but there is a nice workaround (force the use of a customized firefox compatible store).
The bit of script below works well at login / logoff.
Stop-Process -processname firefox
$DBPath="\\yourserver\yourshare\cert8.db"
$FirefoxProfiles=Get-ChildItem $Env:appdata\Mozilla\Firefox\Profiles
$DB=Get-Item $DBPath
ForEach ( $Profile in $FirefoxProfiles )
{
$FullPath=join-path $Env:appdata\Mozilla\Firefox\Profiles $Profile
Copy-Item $DB $FullPath
$FullPath
}
There is free project that provides the ability to manage Firefox root certificates using group policies. You can either install or remove root certificates from Firefox database.