Upcoming Changes to Root Certificates in Firefox on Windows

For organizations interested in supporting Firefox on Windows in a managed environment, a longstanding hurdle has been that Firefox does not use the underlying platform’s certificate database when verifying TLS web server certificates. As an organization, having a separate transparent and open certificate authority program furthers Mozilla’s goal of fostering the open web. However, for users in managed environments attempting to connect to services that use non-public certificate hierarchies, this often results in a sub-optimal experience where Firefox will not connect while other browsers will.

To address this shortcoming, we have been developing an optional feature that, when enabled, will search the Windows certificate trust store for certificate authorities that have been added by the user or an administrator. If Firefox encounters any such CAs that are trusted to issue TLS web server certificates, it will incorporate those CAs into its own path building logic. When verifying a server certificate, if Firefox can find a path to one of those imported roots, the connection will succeed.

This feature is available in Firefox 49 and up (currently in beta). To give it a try, go to about:config and add the boolean preference security.enterprise_roots.enabled and set it to true. After that, Firefox should connect successfully to sites using certificates issued by 3rd party root certificates that have been added to the Windows trust database. Note that currently these root certificates will not appear in Firefox’s certificate manager as they are intended to be managed from the interfaces provided by Windows itself. This may change in the future.

But wait – there’s more! Using the same infrastructure, we have developed a similar feature to handle the case where Firefox is being used on an account that is being monitored by the Microsoft Family Safety functionality in Windows 8.1. For background information, this involves a local intercepting proxy that can log and/or block web traffic to and from an account. A similar feature existed briefly in Windows 10 but was reconfigured to only affect Edge. Starting with version 50, instead of showing the untrusted connection error page Firefox should “just work”.

These features are still in the early stages, so if you encounter any unexpected behavior, please feel free to file a bug.

This has been a guest post from David Keeler, Mozilla Engineer.

Please note: I reserve the right to delete comments that are offensive or off-topic.

Leave a Reply

Your email address will not be published. Required fields are marked *

18 thoughts on “Upcoming Changes to Root Certificates in Firefox on Windows

  1. This is a good solution for some, but might not be right for all Enterprise customers.

    With that in mind, consider PolicyPak to utilize Group Policy to deliver and undeliver Firefox certificates, and..well.. just about everything else important to Firefox.

    We will have a special blog post detailing Firefox 49’s Certificate management vs. PolicyPak’s Certificate management in the coming days.

    For now, though, you can go to http://www.policypak.com/products/manage-mozilla-firefox-with-group-policy.html and see the SECOND video down for a demonstration.

    We’ll update this post when our blog entry is up with an A to B comparison.

    • Testing this in our domain, we have been able to successfully test this in 1 PC out of about 5 PCs. So far, I would not say that this is a domain, and maybe even home, solution to certificate management.

      We have tested by manually enabling the preference, importing certificates as the user and by enabling the preference and installing certificates through a GPO, but regardless of the method, the same PC is the only 1 that will work correctly.

  2. I see that according to Bugzilla and Mozilla-Central that some additional certificate stores have been added for version 52.0 that include certificates installed using GroupPolicy or ActiveDirectory. I’m testing Nightly build 52.0a1 (2016-10-19), which should have these new stores, but my testing is still proving unsuccessful (doesn’t seem to be finding the certs).

    Can anyone confirm that it’s working for them with certs installed using GroupPolicy or ActiveDirectory? Is there a way that I can confirm that this build of Firefox actually includes these additional certificate locations?

    Bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1289865
    Mozilla-Central: https://hg.mozilla.org/mozilla-central/rev/a0b724958434