Problem updating internal CA certificate

[ateuber]

Description:

I'm using the GPO for Firefox as described in Mozilla Policy Templates. After renewing our internal CA certificate and replacing the .pem file in \\local.example.com\sysvol\certs, Firefox shows an error that the certificate could not be installed.

Problem: The new CA certificate is not installed until the old CA certificate is manually removed from Firefox and the browser is restarted.

Steps to Reproduce:

1. Renew the internal CA certificate.
2. Replace the old .pem file with the new one in \\local.example.com\sysvol\certs.
3. Open Firefox and observe the error.

Expected Behavior: Firefox should automatically replace the old CA certificate with the new one via GPO without manual intervention.

Actual Behavior: The new CA certificate is not installed until the old one is manually removed and Firefox is restarted.

Related Issue: Similar issue found: GitHub Issue #805. However, since the CA certificate is easy to identify, updating it should be simpler and should not require manual deletion.

Environment:

• Firefox version: 129.0
• Windows version: Windows 10
• Policy templates version: 6.0

Any insights for a seamless update via GPO would be appreciated. Thank you.

[mkaply]

It's actually not easy to identify the cert without information about it.

Although from what you're experience, it sounds like you might be reusing the serial or issuer which isn't correct.

It would probably be easier to use the OS certificate store and avoid these issues.

[ateuber]

Thank you for your reply!

You are right, I accidentally reused the serial. I thought I checked it, but seems like I got a bit confused.

Now the new CA certificate is getting installed next to the old CA certificate. That's good enough for me.

Maybe the OS certificate store is easier, but I don't want to waste time on it now. Here everyone uses Firefox anyway.