CA/AddRootToFirefox

From MozillaWiki
< CA
Jump to: navigation, search

Installing Certificates Into Firefox

There are lots of organizations that use their own private certificate authorities (CAs) to issue certificates for their internal servers. Browsers that attempt to validate certificates issued by a private CA certificate will display errors unless they are configured to recognize these certificates. Since Firefox does not use the operating system's certificate store by default, these CA certificates must be added in to Firefox using one of the following methods.

Import via Policy

As of Firefox 64, an enterprise policy can be used to add CA certificates to Firefox. This is now the method recommended for organizations to install private trust anchors.

The ImportEnterpriseRoots key will cause Firefox to trust root certificates that are in the system certificate store as long as the key is set to “true”. We recommend this option to add trust for a private PKI to Firefox. It is equivalent to setting the "security.enterprise_roots.enabled" preference as described in the next section.

The Install key by default will search for certificates in the locations listed below. Starting in Firefox 65, you can specify a fully qualified path (see cert3.der and cert4.pem in this example). If Firefox does not find something at your fully qualified path, it will search the default directories.

Certificates can be located in the following locations:

  • Windows
    •  %USERPROFILE%\AppData\Local\Mozilla\Certificates
    •  %USERPROFILE%\AppData\Roaming\Mozilla\Certificates
  • MacOS
    • /Library/Application Support/Mozilla/Certificates
    • ~/Library/Application Support/Mozilla/Certificates
  • Linux
    • /usr/lib/mozilla/certificates
    • /usr/lib64/mozilla/certificates
    • ~/.mozilla/certificates

Built-in Windows and MacOS Support

Windows and MacOS enterprise root support can be enabled by setting the "security.enterprise_roots.enabled" preference to true in about:config.

Windows Enterprise Support

As of version 49, Firefox can be configured to automatically search for and import CAs that have been added to the Windows certificate store by a user or administrator. To do so, set the preference "security.enterprise_roots.enabled" to true. In this mode, Firefox will inspect the HKLM\SOFTWARE\Microsoft\SystemCertificates registry location (corresponding to the API flag CERT_SYSTEM_STORE_LOCAL_MACHINE) for CAs that are trusted to issue certificates for TLS web server authentication. Any such CAs will be imported and trusted by Firefox, although note that they may not appear in the Firefox's certificate manager. It is expected that administration of these CAs (e.g. trust configuration) will occur via built-in Windows tools or other 3rd party utilities. Note also that for such configuration changes to take effect in Firefox either the preference will have to be toggled off and on again or Firefox will have to be restarted. As of version 52, Firefox will also search the registry locations HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates and HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates (corresponding to the API flags CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY and CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE, respectively).

Note: As of this writing, this setting only imports certificates from the Windows Trusted Root Certification Authorities store, not corresponding Intermediate Certification Authorities store. See bug 1473573. If you are experiencing “unknown issuer” errors even after enabling this feature, try configuring your TLS server to include the necessary intermediate certificates in the TLS handshake.

MacOS Enterprise Support

As of Firefox 63, this feature also works for MacOS by importing roots found in the MacOS system keychain.

Linux

On Linux, certificates can be programmatically imported by using p11-kit-trust.so from p11-kit (add the module using the “Security Devices” manager in Preferences or using the modutil utility).

Preload the Certificate Databases

Some people create a new profile in Firefox, manually install the certificates they need, and then distribute the various db files (cert9.db, key4.db and secmod.db) into new profiles using this method. This is not the recommended approach, and this method only works for new profiles.

Certutil

If you're a real diehard, you can use certutil to update the Firefox certificate databases from the command line.

Credits

The original content of this wiki page was copied (with permission) from Mike Kaply's Blog.