Upcoming Changes to Root Certificates in Firefox on Windows

For organizations interested in supporting Firefox on Windows in a managed environment, a longstanding hurdle has been that Firefox does not use the underlying platform’s certificate database when verifying TLS web server certificates. As an organization, having a separate transparent and open certificate authority program furthers Mozilla’s goal of fostering the open web. However, for users in managed environments attempting to connect to services that use non-public certificate hierarchies, this often results in a sub-optimal experience where Firefox will not connect while other browsers will.

To address this shortcoming, we have been developing an optional feature that, when enabled, will search the Windows certificate trust store for certificate authorities that have been added by the user or an administrator. If Firefox encounters any such CAs that are trusted to issue TLS web server certificates, it will incorporate those CAs into its own path building logic. When verifying a server certificate, if Firefox can find a path to one of those imported roots, the connection will succeed.

This feature is available in Firefox 49 and up (currently in beta). To give it a try, go to about:config and add the boolean preference security.enterprise_roots.enabled and set it to true. After that, Firefox should connect successfully to sites using certificates issued by 3rd party root certificates that have been added to the Windows trust database. Note that currently these root certificates will not appear in Firefox’s certificate manager as they are intended to be managed from the interfaces provided by Windows itself. This may change in the future.

But wait – there’s more! Using the same infrastructure, we have developed a similar feature to handle the case where Firefox is being used on an account that is being monitored by the Microsoft Family Safety functionality in Windows 8.1. For background information, this involves a local intercepting proxy that can log and/or block web traffic to and from an account. A similar feature existed briefly in Windows 10 but was reconfigured to only affect Edge. Starting with version 50, instead of showing the untrusted connection error page Firefox should “just work”.

These features are still in the early stages, so if you encounter any unexpected behavior, please feel free to file a bug.

This has been a guest post from David Keeler, Mozilla Engineer.

Please note: I reserve the right to delete comments that are offensive or off-topic.

Leave a Reply

Your email address will not be published. Required fields are marked *

35 thoughts on “Upcoming Changes to Root Certificates in Firefox on Windows

  1. This is a good solution for some, but might not be right for all Enterprise customers.

    With that in mind, consider PolicyPak to utilize Group Policy to deliver and undeliver Firefox certificates, and..well.. just about everything else important to Firefox.

    We will have a special blog post detailing Firefox 49’s Certificate management vs. PolicyPak’s Certificate management in the coming days.

    For now, though, you can go to http://www.policypak.com/products/manage-mozilla-firefox-with-group-policy.html and see the SECOND video down for a demonstration.

    We’ll update this post when our blog entry is up with an A to B comparison.

    • Testing this in our domain, we have been able to successfully test this in 1 PC out of about 5 PCs. So far, I would not say that this is a domain, and maybe even home, solution to certificate management.

      We have tested by manually enabling the preference, importing certificates as the user and by enabling the preference and installing certificates through a GPO, but regardless of the method, the same PC is the only 1 that will work correctly.

  2. I see that according to Bugzilla and Mozilla-Central that some additional certificate stores have been added for version 52.0 that include certificates installed using GroupPolicy or ActiveDirectory. I’m testing Nightly build 52.0a1 (2016-10-19), which should have these new stores, but my testing is still proving unsuccessful (doesn’t seem to be finding the certs).

    Can anyone confirm that it’s working for them with certs installed using GroupPolicy or ActiveDirectory? Is there a way that I can confirm that this build of Firefox actually includes these additional certificate locations?

    Bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1289865
    Mozilla-Central: https://hg.mozilla.org/mozilla-central/rev/a0b724958434

  3. Except that this is absolutely not working, as of today on 50.1.0. Neither for AD GPO nor local machine cert store; either works correctly in IE. Can be set in about:config but has no effect.

  4. Is there a way to enable this from mozilla.cfg file while doing a custom install or is the only way is to manually set that via the configs menu?

  5. Is this feature still beta. I’m considering rolling this out in my workplace, but I don’t want to deploy a feature in beta. Is there a timeframe or a web page with a roadmap.

  6. Hi David,

    Have there been any improvements with the latest FF version 55? I have version 55 on my test Win 10 laptop and what you have stated above works as advertised. So from here it’s just a matter of using CCK2 to manage hundreds of Win 10 laptops to make that small config change, right?

    Thank you!

    • Firefox 55 is looking great. Fast. If this is the only change you need to make, CCK2 might be overkill for you. check out my posts on Autoconfig.