mkaply
commented
4 years ago So we just found this with someone else:
https://bugzilla.mozilla.org/show_bug.cgi?id=1642789
Does your certificate have extra stuff before the BEGIN/END?
Open paulashbrook opened 4 years ago
mkaply
commented
4 years ago So we just found this with someone else:
https://bugzilla.mozilla.org/show_bug.cgi?id=1642789
Does your certificate have extra stuff before the BEGIN/END?
paulashbrook
commented
4 years ago HI. That's interesting.
A corporate cert that does get imported:
# cat fred-ca-staff.pem
Subject: C=GB, L=London, O=FredCorporation, OU=FRED CA, CN=FRED CA - Staff, emailAddress=ca-admin@fred.co.uk
Issuer: C=GB, L=London, O=FredCorporation, OU=FRED CA, CN=FRED CA - Root
-----BEGIN CERTIFICATE-----
Our departmental one that fails to import:
# cat bbcrd-lt.pem
-----BEGIN CERTIFICATE-----
Weird. The first one shouldn't work either.
But if you remove everything before the -----BEGIN CERTIFICATE, it should work.
I'll get this patch uplifted everywhere I can.
paulashbrook
commented
4 years ago I'll look out for the patch and retest. Thanks for your response.
paulashbrook
commented
4 years ago I can confirm, though, that there is nothing before or after the certificate content itself in the PEM file.
Are there any specification for auto-imported certs, other than DER or PEM format? Any difference between .plist and .json import methods? And finally, any tips on diag gathering?
mkaply
commented
4 years ago Can you try making the cert just the base64 content on one line with nothing else and see if it imports?
Unfortunately we don't have good errors right now for this import.
There is no difference between the plist and JSON import methods.
When we have a new nightly with the fix, you can try that and see if it works.
paulashbrook
commented
4 years ago Here's a funny thing... If I add some text preamble to the beginning of the certificate PEM file - Subject and Issuer lines - then FireFox WILL import the cert on startup.
So, is there a validation check for the text before the import routine?
mkaply
commented
4 years ago There isn't. It's a simple conversion:
https://searchfox.org/mozilla-central/source/browser/components/enterprisepolicies/Policies.jsm#2152
(The (.*) is that new code).
I guess I need to spend more time with that function?
Hello, My department has a CA certificate that we deploy to Mac devices, along with corporate certificates. All are in .pem format. When using a .plist policy file, the corporate certs will import to Firefox's cert store, but the departmental one won't. However, the same certificate WILL import manually from "Preferences" -> "Privacy & Security" -> "View Certificates".
What is the specification for certificates to be imported by policy? How can I get some debugging information or log for when Firefox starts up and applies the policy file?
Any help will be appreciated, thanks.