ImportEnterpriseRoots not working for our enterprise root CA

[Clickbaitcake]

Hello again,

This is a re-post of 288 because my lab conditions were tainted and tests not valid.

I am using GPO to set ImportEnterpriseRoots setting. Under about:policies the setting is true and locked but our enterprise root cert is not being imported.

Is there any logs I can check or someway to diagnose why the cert is not being imported?

Thanks!

[Clickbaitcake]

This issue looks similar. I think FF isn’t importing the intermediates although Chrome and Edge are....

https://bugzilla.mozilla.org/show_bug.cgi?id=1462279

[Clickbaitcake]

This issue looks similar. I think FF isn’t importing the intermediates although Chrome and Edge are....

https://bugzilla.mozilla.org/show_bug.cgi?id=1462279

This is almost certainly an issue on my side and not Firefox but what it is I cannot tell.

Is there a logfile I can check? @mkaply

[vartaxe]

This is sadly a big issue for us too

[mkaply]

Is the error you get connecting to your site the exact same error you get if the certificate isn't installed at all?

[mkaply]

To get some logs, you can set the environment variables MOZ_LOG to "pipnss:4,certverifier:4" and MOZ_LOG_FILE to a local file.

See:

https://developer.mozilla.org/en-US/docs/Mozilla/Developer_guide/Gecko_Logging

We're investigating ways to make these errors easier to see.

[Clickbaitcake]

Is the error you get connecting to your site the exact same error you get if the certificate isn't installed at all?

Yes error is the same:

_MOZILLA_PKIX_ERROR_MITMDETECTED

To get some logs, you can set the environment variables MOZ_LOG to "pipnss:4,certverifier:4" and MOZ_LOG_FILE to a local file.

See:

https://developer.mozilla.org/en-US/docs/Mozilla/Developer_guide/Gecko_Logging

We're investigating ways to make these errors easier to see.

I am trying but failing to understand this. I have tried some windows commands but the log file never populates.

set MOZ_LOG=pipnss:4,certverifier:4 set MOZ_LOG_FILE="c:\logs\log.txt"

Are these correct in CMD? Id be happy to write up a guide for this for you guys, once I understand it.

[Clickbaitcake]

set MOZ_LOG=pipnss:4,certverifier:4

I dont think this setting is taking hold from my command. I cant see it after checking the output of SET Will keep trying to crack it.

[Clickbaitcake]

I now have the following variables set for my user account:

MOZ_LOG=pipnss:4,certverifier:4 MOZ_LOG_FILE=C:\logs\logs.txt

But the logs.txt does not fill with any information at all when starting Firefox.

[Clickbaitcake]

@mkaply It seems no matter which way I go about these settings nothing is written to the log file. Am I missing something?

[mkaply]

Strange. I just tested both of these (I set the environment variables before starting Firefox) and I get lots of information in the log file.

Do you get a logs.txt file at all? Is it possible there is no write access to c:\logs?

Can try something in a user directory?

[Clickbaitcake]

Howdy Mike,

I do not get a logs.txt at all, I also tried to create it manually but no logs are showing.

I have just tried again, this time I used these commands at the Windows CMD:

set MOZ_LOG=pipnss:4,certverifier:4 set MOZ_LOG_FILE=C:\Users\adminabc\Desktop\log.txt

When starting Firefox the log.txt file is not created. I created it manually but it does not get populated.

To check my commands were working I opened Windows CMD and typed SET the output looks like this:

MOZ_LOG=pipnss:4,certverifier:4 MOZ_LOG_FILE=C:\Users\adminccc\Desktop\log.txt

The settings are setting but the log file just wont write.

I must be doing something wrong?

[Clickbaitcake]

I have tried to generate the log on a freshly imaged Windows 1803 machine but that log wont write. I must be missing something simple.

[mkaply]

I'm at a complete loss. I tried your steps exactly and it worked for me. I even used the same paths and capitalization.

[Clickbaitcake]

For whatever reason using the CMD command set was not working. I managed to get the log by setting the variables in the Windows GUI (System Properties > Advanced > Environment Variables)

The log is below. I replaced my company with COMPANYNAME Does anything stand out? I am unsure what I am looking for!

Parent 12208: Main Thread]: D/pipnss nsNSSComponent::ctor [Parent 12208: Main Thread]: D/pipnss Beginning NSS initialization [Parent 12208: Main Thread]: D/pipnss nsNSSComponent::InitializeNSS [Parent 12208: Main Thread]: D/pipnss NSS Initialization beginning [Parent 12208: Main Thread]: D/pipnss NSS profile at 'C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\HQ941K~1.DEF' [Parent 12208: Main Thread]: D/pipnss not setting NSS_SDB_USE_CACHE [Parent 12208: Main Thread]: D/pipnss inSafeMode: 0 [Parent 12208: Main Thread]: D/certverifier InitializeNSS(sql:C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\HQ941K~1.DEF, 0, 1) [Parent 12208: Main Thread]: D/pipnss initialized NSS in r/w mode [Parent 12208: Main Thread]: D/pipnss certificate is trust anchor for TLS server auth [Parent 12208: Main Thread]: D/pipnss Imported 'SERVER.COMPANYNAME.com' [Parent 12208: Main Thread]: D/pipnss certificate is trust anchor for TLS server auth [Parent 12208: Main Thread]: D/pipnss Imported 'Microsoft Root Certificate Authority' [Parent 12208: Main Thread]: D/pipnss certificate not trust anchor for TLS server auth [Parent 12208: Main Thread]: D/pipnss skipping cert not trust anchor for TLS server auth [Parent 12208: Main Thread]: D/pipnss certificate is trust anchor for TLS server auth [Parent 12208: Main Thread]: D/pipnss Imported 'Microsoft Root Authority' [Parent 12208: Main Thread]: D/pipnss certificate not trust anchor for TLS server auth [Parent 12208: Main Thread]: D/pipnss skipping cert not trust anchor for TLS server auth [Parent 12208: Main Thread]: D/pipnss certificate is trust anchor for TLS server auth [Parent 12208: Main Thread]: D/pipnss Imported 'Microsoft Root Certificate Authority 2011' [Parent 12208: Main Thread]: D/pipnss certificate not trust anchor for TLS server auth [Parent 12208: Main Thread]: D/pipnss skipping cert not trust anchor for TLS server auth [Parent 12208: Main Thread]: D/pipnss certificate is trust anchor for TLS server auth [Parent 12208: Main Thread]: D/pipnss Imported 'Microsoft Root Certificate Authority 2010' [Parent 12208: Main Thread]: D/pipnss certificate not trust anchor for TLS server auth [Parent 12208: Main Thread]: D/pipnss skipping cert not trust anchor for TLS server auth [Parent 12208: Main Thread]: D/pipnss certificate not trust anchor for TLS server auth [Parent 12208: Main Thread]: D/pipnss skipping cert not trust anchor for TLS server auth [Parent 12208: Main Thread]: D/pipnss certificate is trust anchor for TLS server auth [Parent 12208: Main Thread]: D/pipnss Imported 'COMPANYNAME Root CA' [Parent 12208: Main Thread]: D/pipnss certificate is trust anchor for TLS server auth [Parent 12208: Main Thread]: D/pipnss Imported 'DigiCert Assured ID Root CA' [Parent 12208: Main Thread]: D/pipnss imported 7 roots [Parent 12208: Main Thread]: D/pipnss certificate is trust anchor for TLS server auth [Parent 12208: Main Thread]: D/pipnss Imported 'OTHER_COMPANYNAME' [Parent 12208: Main Thread]: D/pipnss imported 1 roots [Parent 12208: Main Thread]: D/pipnss certificate is trust anchor for TLS server auth [Parent 12208: Main Thread]: D/pipnss Imported 'COMPANYNAME Root CA' [Parent 12208: Main Thread]: D/pipnss certificate is trust anchor for TLS server auth [Parent 12208: Main Thread]: D/pipnss Imported 'COMPANYNAME Root CA' [Parent 12208: Main Thread]: D/pipnss certificate is trust anchor for TLS server auth [Parent 12208: Main Thread]: D/pipnss Imported 'COMPANYNAME Root CA' [Parent 12208: Main Thread]: D/pipnss imported 3 roots [Parent 12208: Main Thread]: D/pipnss NSS Initialization done [Parent 12208: Main Thread]: D/pipnss nsNSSComponent: adding observers [Parent 12208: LoadRoots]: D/pipnss loaded CKBI from C:\PROGRA~1\MOZILL~1 [Parent 12208: Socket Thread]: D/pipnss [0000018363972430] nsSSLIOLayerSetOptions: using TLS version range (0x0301,0x0304) [Parent 12208: Socket Thread]: D/pipnss [0000018363972430] Socket set up [Parent 12208: Socket Thread]: D/pipnss [0000018363972430] connecting SSL socket [Parent 12208: Socket Thread]: E/pipnss [0000018363972430] Lower layer connect error: -5934 [Parent 12208: Socket Thread]: D/pipnss [0000018363B94C70] nsSSLIOLayerSetOptions: using TLS version range (0x0301,0x0304) [Parent 12208: Socket Thread]: D/pipnss [0000018363B94C70] Socket set up [Parent 12208: Socket Thread]: D/pipnss [0000018363B94C70] connecting SSL socket [Parent 12208: Socket Thread]: E/pipnss [0000018363B94C70] Lower layer connect error: -5934 [Parent 12208: Socket Thread]: D/pipnss [00000183610DBCA0] starting AuthCertificateHook [Parent 12208: SSL Cert #1]: D/pipnss [0000018363B10310] SSLServerCertVerificationJob::Run [Parent 12208: SSL Cert #1]: D/certverifier Top of VerifyCert [Parent 12208: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: CheckSignatureDigestAlgorithm [Parent 12208: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: CheckSignatureDigestAlgorithm [Parent 12208: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: CheckSignatureDigestAlgorithm [Parent 12208: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: CheckSignatureDigestAlgorithm [Parent 12208: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: CheckSignatureDigestAlgorithm [Parent 12208: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: CheckSignatureDigestAlgorithm [Parent 12208: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: CheckSignatureDigestAlgorithm [Parent 12208: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: CheckSignatureDigestAlgorithm [Parent 12208: SSL Cert #1]: D/pipnss [00000183610DBCA0][0000018363B97420] Before dispatching CertErrorRunnable [Parent 12208: Main Thread]: D/pipnss [00000183610DBCA0][0000018363B97420] top of CheckCertOverrides [Parent 12208: Main Thread]: D/pipnss [00000183610DBCA0][0000018363B97420] HSTS or HPKP - no overrides allowed [Parent 12208: Main Thread]: D/pipnss [00000183610DBCA0][0000018363B97420] Certificate error was not overridden [Parent 12208: Socket Thread]: D/pipnss [0000018363972430] polling SSL socket right after certificate verification failed or NSS shutdown or SDR logout 6 [Parent 12208: Socket Thread]: D/pipnss [0000018363972430] Shutting down socket [Parent 12208: Socket Thread]: D/pipnss [0000018363B94D30] starting AuthCertificateHook [Parent 12208: SSL Cert #1]: D/pipnss [0000018363B10480] SSLServerCertVerificationJob::Run [Parent 12208: SSL Cert #1]: D/certverifier Top of VerifyCert [Parent 12208: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: CheckSignatureDigestAlgorithm [Parent 12208: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: CheckSignatureDigestAlgorithm [Parent 12208: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: CheckSignatureDigestAlgorithm [Parent 12208: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: CheckSignatureDigestAlgorithm [Parent 12208: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: CheckSignatureDigestAlgorithm [Parent 12208: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: CheckSignatureDigestAlgorithm [Parent 12208: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: CheckSignatureDigestAlgorithm [Parent 12208: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: CheckSignatureDigestAlgorithm [Parent 12208: SSL Cert #1]: D/pipnss [0000018363B94D30][000001836466F840] Before dispatching CertErrorRunnable [Parent 12208: Main Thread]: D/pipnss [0000018363B94D30][000001836466F840] top of CheckCertOverrides [Parent 12208: Main Thread]: D/pipnss [0000018363B94D30][000001836466F840] HSTS or HPKP - no overrides allowed [Parent 12208: Main Thread]: D/pipnss [0000018363B94D30][000001836466F840] Certificate error was not overridden [Parent 12208: Socket Thread]: D/pipnss [0000018363B94C70] polling SSL socket right after certificate verification failed or NSS shutdown or SDR logout 6 [Parent 12208: Socket Thread]: D/pipnss [0000018363B94C70] Shutting down socket [Parent 12208: Socket Thread]: D/pipnss [00000183646EE910] nsSSLIOLayerSetOptions: using TLS version range (0x0301,0x0304) [Parent 12208: Socket Thread]: D/pipnss [00000183646EE910] Socket set up [Parent 12208: Socket Thread]: D/pipnss [00000183646EE910] connecting SSL socket [Parent 12208: Socket Thread]: E/pipnss [00000183646EE910] Lower layer connect error: -5934 [Parent 12208: Socket Thread]: D/pipnss [00000183646EEA00] starting AuthCertificateHook [Parent 12208: SSL Cert #1]: D/pipnss [0000018363B10310] SSLServerCertVerificationJob::Run [Parent 12208: SSL Cert #1]: D/certverifier Top of VerifyCert [Parent 12208: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: CheckSignatureDigestAlgorithm [Parent 12208: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: CheckSignatureDigestAlgorithm [Parent 12208: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: IsChainValid [Parent 12208: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: Top of CheckRevocation [Parent 12208: SSL Cert #1]: D/certverifier OCSPCache::Get(0000002FAE93E400,"") not in cache [Parent 12208: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: no cached OCSP response [Parent 12208: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: Top of CheckRevocation [Parent 12208: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: caching OCSP response [Parent 12208: SSL Cert #1]: D/certverifier OCSPCache::Put(0000002FAE93EA30, "") added to cache [Parent 12208: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: stapled OCSP response: good [Parent 12208: SSL Cert #1]: D/pipnss AuthCertificate setting NEW cert 000001836405E1A0 [Parent 12208: Socket Thread]: D/pipnss [00000183646EE910] nsNSSSocketInfo::NoteTimeUntilReady [Parent 12208: Socket Thread]: D/pipnss CanFalseStartCallback [00000183646EEA00] ok [Parent 12208: Socket Thread]: D/pipnss [00000183646EEA00] HandshakeCallback: succeeded using TLS version range (0x0301,0x0304) [Parent 12208: Socket Thread]: D/pipnss HandshakeCallback KEEPING existing cert [Parent 12208: Socket Thread]: D/pipnss [00000183646EE910] nsNSSSocketInfo::SetHandshakeCompleted [Parent 12208: Socket Thread]: D/pipnss [00000183646A0250] nsSSLIOLayerSetOptions: using TLS version range (0x0301,0x0304) [Parent 12208: Socket Thread]: D/pipnss [00000183646A0250] Socket set up [Parent 12208: Socket Thread]: D/pipnss [00000183646A0250] connecting SSL socket [Parent 12208: Socket Thread]: E/pipnss [00000183646A0250] Lower layer connect error: -5934 [Parent 12208: Socket Thread]: D/pipnss [00000183646A0340] starting AuthCertificateHook [Parent 12208: SSL Cert #1]: D/pipnss [0000018363B10480] SSLServerCertVerificationJob::Run [Parent 12208: SSL Cert #1]: D/certverifier Top of VerifyCert [Parent 12208: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: CheckSignatureDigestAlgorithm [Parent 12208: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: CheckSignatureDigestAlgorithm [Parent 12208: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: CheckSignatureDigestAlgorithm [Parent 12208: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: CheckSignatureDigestAlgorithm [Parent 12208: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: CheckSignatureDigestAlgorithm [Parent 12208: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: CheckSignatureDigestAlgorithm [Parent 12208: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: CheckSignatureDigestAlgorithm [Parent 12208: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: CheckSignatureDigestAlgorithm [Parent 12208: SSL Cert #1]: D/pipnss [00000183646A0340][0000018364087200] Before dispatching CertErrorRunnable [Parent 12208: Main Thread]: D/pipnss [00000183646A0340][0000018364087200] top of CheckCertOverrides [Parent 12208: Main Thread]: D/pipnss [00000183646A0340][0000018364087200] HSTS or HPKP - no overrides allowed [Parent 12208: Main Thread]: D/pipnss [00000183646A0340][0000018364087200] Certificate error was not overridden [Parent 12208: Socket Thread]: D/pipnss [00000183646A0250] polling SSL socket right after certificate verification failed or NSS shutdown or SDR logout 6 [Parent 12208: Socket Thread]: D/pipnss [00000183646A0250] Shutting down socket [Parent 12208: Socket Thread]: D/pipnss [00000183646A0700] nsSSLIOLayerSetOptions: using TLS version range (0x0301,0x0304) [Parent 12208: Socket Thread]: D/pipnss [00000183646A0700] Socket set up [Parent 12208: Socket Thread]: D/pipnss [00000183646A0700] connecting SSL socket [Parent 12208: Socket Thread]: E/pipnss [00000183646A

[Clickbaitcake]

Hey @mkaply I worked with our local Microsoft Guru to troubleshoot this and he immediately spotted the issue. When we import our Intermediate certificate into the Trusted Root Certification Authorities store and start Firefox everything works as expected!

Firefox is only looking at the Trusted Root Certification Authorities and not the Intermediate Store in Windows.

Could Firefox be changed so that it imports from both locations? It does not make sense for anyone to install intermediates into the root folder.

[mkaply]

This has come up before. I'll bring it up again.

[Clickbaitcake]

Should I raise a Mozilla Bugzilla bug?

[mkaply]

There already is a bug

https://bugzilla.mozilla.org/show_bug.cgi?id=1473573

I've reopened it.

[vartaxe]

We are on the same boat because our security team is “only” pushing the proxy certificate to the intermidiary store!

[vartaxe]

Ps the certificat in our intermidiary cert auth contains all 3 certs needed if this helps

[vartaxe]

And manually importing works just fine

[Clickbaitcake]

And manually importing works just fine

Yes same here, manual import is workaround but not scalable to hundreds of user endpoints. I think we will have to push the intermediate to the Root Store via Group Policy as a workaround for the time being. Hopefully the bug report gets pushed into production.

Thanks for your help so far @mkaply !

[mkaply]

Note we're adding importing of certs via policy into Firefox 64 (and hopefully 60.4).

Not a great solution, but a solution. We're still investigating the bug.

[Clickbaitcake]

Thank you for pushing through with us @mkaply! Our whole team awaits news eagerly!

[vartaxe]

When can we espect the release?

[mkaply]

Certificate import will be in Firefox 64 December 11. And hopefully ESR 60.4 on the same date.

[vartaxe]

Ok thanks Btw is there a way to receive an alert when its released? Are the policies for 60.4 going to be releaed the same day? Is the import intermidiary fixed in the latest nightly build?

[vartaxe]

I mean is tgere a changelog we can check

[mkaply]

Btw is there a way to receive an alert when its released?>

You could subscribe to the release feed on Github - https://github.com/mozilla/policy-templates/releases.atom - to know when the policy is released.

As far as Firefox releases, we have official way of notification, but we announce them on the enterprise mailing list.

Are the policies for 60.4 going to be released the same day?

Usually right before.

Is the import intermediary fixed in the latest nightly build?

No. We're still looking at how to fix that. Only thing fixed in nightly is certificate importing,

[Clickbaitcake]

Note we're adding importing of certs via policy into Firefox 64 (and hopefully 60.4).

Not a great solution, but a solution. We're still investigating the bug.

I am a little confused by this!

Would this mean we tell Firefox which certs to import specifically instead of relying on its import mechanism?

[vartaxe]

well my work around till this gets fixed is using: var Cc = Components.classes; var Ci = Components.interfaces; var certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB); var certdb2 = certdb; try { certdb2 = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB2); } catch (e) {} cert = "MIIXXXXXXXXXNYM53"; // This should be the certificate content with no line breaks at all. certdb.addCertFromBase64(cert, "c,,", ""); dont know if its possible to import more than only one key value tough

[Clickbaitcake]

Thanks for providing this @vartaxe Where do these settings go? A config file?

[mkaply]

Would this mean we tell Firefox which certs to import specifically instead of relying on its import mechanism?

Yes. It effectively does the code that @vartaxe just posted (which would go in an Autoconfig file)

[Clickbaitcake]

Sounds great @mkaply I will wait for these policies to come out instead of setting up workaround. Thank you for fixing this. My organisation are very close to ruling out Firefox at this point, I hope I can get this in and let it stay. Thank you for your persistence.

Hopefully the Bugzilla thing can be fixed at a later time too!

[mkaply]

My organisation are very close to ruling out Firefox at this point, I hope I can get this in and let it stay.

If they'd like to talk to someone at Mozilla about this, I'd be very happy to do that.

[Clickbaitcake]

My organisation are very close to ruling out Firefox at this point, I hope I can get this in and let it stay.

If they'd like to talk to someone at Mozilla about this, I'd be very happy to do that.

If that would help your great work in pushing Firefox for enterprise then we are all for it!

[Clickbaitcake]

Certificate import will be in Firefox 64 December 11. And hopefully ESR 60.4 on the same date.

HI Mike, hope you are well. Can you confirm if this feature made it in?

[mkaply]

yes, certificate import is in the ESR.

[Clickbaitcake]

Hi Mike, thanks for getting back to me.

The documentation says:

Certificates can be located in the following locations: %USERPROFILE%\AppData\Local\Mozilla\Certificates %USERPROFILE%\AppData\Roaming\Mozilla\Certificates

Does this mean that right now I must have my certification in one of these locations?

In Firefox 65, you can specify a fully qualified path.

Does this mean in 65 I could use another location, such as an SMB share?

Thanks!

[mkaply]

Does this mean that right now I must have my certification in one of these locations?

For ESR right now, yes.

Does this mean in 65 I could use another location, such as an SMB share?

Yes. The last patch to allow fully qualified paths didn't make it into 64 (or ESR 60.4)

[Clickbaitcake]

Thanks @mkaply according to this release calendar 65 will be released 2019-01-29. If I understand correctly this release will allow the fully qualified paths?

Sorry for being pedantic, I am struggling to keep my Firefox afloat at my organization because of this issue. I hope to give managerial staff as much detail as possible.

[mkaply]

Thanks @mkaply according to this release calendar 65 will be released 2019-01-29. If I understand correctly this release will allow the fully qualified paths?

And it's no problem at all.

You could also use some sort of symbolic link to point to the file in the other location,

[vartaxe]

just tried putting all our 4 certs (firefox 64.0 and esr 60.4.0) root cer ca1 cer ca2 cer proxy cer in %USERPROFILE%\AppData\Local\Mozilla\Certificates %USERPROFILE%\AppData\Roaming\Mozilla\Certificates without success... i also tried with the latest nigthly build (firefox-66.0a1.en-US.win64.installer.msi) same result... this really doesn't smells good even for upcoming 65...

[mkaply]

Did you update your policy file to point to those files?

[vartaxe]

I thought policy wouldnt be needed for those locations and would be out of the box default location

[mkaply]

That would be a performance hit to look in multiple locations for all files.

You need to specify the names of the files in policy in Certificates->Install

[vartaxe]

not multiple locations but since it was told that location i tought that it wasn't required to add it ^^ i will give it a try

[vartaxe]

hi, thanks it works that way. ps: they will show up under "your certificates"... when installing manually they would go to "authorities" and we could edit trust to only identify websites.

[Clickbaitcake]

I just tested importing our certs from a UNC path with the latest version of the ADMX from this repo and Firefox version 65.

The only way I could get it working was by using double backslashes in the path: \SERVER\CERTS\CERTS\cert.pem

Also the certificate has to be in PEM or DER format or it did not work.

I think this can be closed but the Read Me/Documentation needs updating. I will do a pull request.

[scrfc71]

I have version 60.5.1 ESR. However, it still doesn't work with the latest ADMX data.

I have activated the 2 GPO settings. 1) install certificate (%userprofile%\appdata\local\mozilla\certificates\rootca.cer) the same with the intermediate. The same also in the ROAMING folder. 2) Use Windows Cert..

But without success...?