Compare Revisions
Setting Up Certificate Authorities (CAs) in Firefox
Revision 261312:
Revision 261312 by Mozinet on
Revision 287250:
Revision 287250 by AliceWyman on
Keywords:
firefox enterprise, certificate authorites, CAs
firefox enterprise, certificate authorites, CAs
Search results summary:
Learn how to set up certificate authorities in Firefox Enterprise.
Learn how to set up certificate authorities in Firefox Enterprise.
Content:
[[Template:Enterprise]]
If your organization uses private certificate authorities (CAs) to issue certificates for your internal servers, browsers such as Firefox might display errors unless you configure them to recognize these private certificates. This should be done early on, so your users won’t have trouble accessing websites.
You can add these CA certificates using one of the following methods.
=Using policies to import CA certificates (recommended)=
Starting with [[Find what version of Firefox you are using|Firefox version]] 64, an [[Customizing Firefox Using Group Policy (Windows)|enterprise policy]] can be used to add CA certificates to Firefox.
*Setting the ''ImportEnterpriseRoots'' key to '''true''' will cause Firefox to trust root certificates. We recommend this option to add trust for a private PKI to Firefox. It is equivalent to setting the {pref security.enterprise_roots.enabled} preference as described in the Built-in Windows and macOS Support section below.
*The ''Install'' key by default will search for certificates in the locations listed below. Starting in Firefox 65, you can specify a fully qualified path (see ''cert3.der'' and ''cert4.pem'' in [https://github.com/mozilla/policy-templates/blob/master/README.md#Certificates this example]). If Firefox does not find something at your fully qualified path, it will search the default directories:
**Windows
***%USERPROFILE%\AppData\Local\Mozilla\Certificates
***%USERPROFILE%\AppData\Roaming\Mozilla\Certificates
**macOS
***/Library/Application Support/Mozilla/Certificates
***~/Library/Application Support/Mozilla/Certificates
**Linux
***/usr/lib/mozilla/certificates
***/usr/lib64/mozilla/certificates
=Using built-in Windows and macOS support=
Setting the {pref security.enterprise_roots.enabled} preference to true in the ''about:config'' page will enable the Windows and macOS enterprise root support.
==Windows Enterprise Support==
Starting with version 49, Firefox can be configured to automatically search for and import CAs that have been added to the Windows certificate store by a user or administrator.
#[[Template:aboutconfig]]
#Search for the {pref security.enterprise_roots.enabled} preference.
#Click the ''Toggle'' [[Image:Fx71aboutconfig-ToggleButton]] button next to this preference to change its value to {pref true}.
#Restart Firefox.
Firefox will inspect the ''HKLM\SOFTWARE\Microsoft\SystemCertificates'' registry location (corresponding to the API flag ''CERT_SYSTEM_STORE_LOCAL_MACHINE'') for CAs that are trusted to issue certificates for TLS web server authentication. Any such CAs will be imported and trusted by Firefox, although they may not appear in Firefox's certificate manager. Administration of these CAs should occur using built-in Windows tools or other third party utilities.
'''Firefox version 52:''' Firefox will also search the registry locations ''HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates'' and ''HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates'' (corresponding to the API flags ''CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY'' and ''CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE'', respectively).
{note}'''Note:''' This setting only imports certificates from the Windows Trusted Root Certification Authorities store, not corresponding Intermediate Certification Authorities store. See [https://bugzilla.mozilla.org/show_bug.cgi?id=1473573 bug 1473573]. If you are experiencing ''unknown issuer'' errors even after enabling this feature, try configuring your TLS server to include the necessary intermediate certificates in the TLS handshake.{/note}
==macOS Enterprise Support==
Starting with Firefox 63, this feature also works for macOS by importing roots found in the macOS system keychain.
=Linux=
==Using p11-kit-trust<!-- -->.so on Linux==
Certificates can be programmatically imported by using ''p11-kit-trust<!-- -->.so'' from ''p11-kit'' (note that some distributions, such as Red Hat-based ones, already do this by default by shipping ''p11-kit-trust<!-- -->.so'' as ''libnsscbki<!-- -->.so'').
This can be done by setting the [https://github.com/mozilla/policy-templates#securitydevices SecurityDevices policy] in '''/etc/firefox/policies/policies.json''' and adding an entry pointing to ''p11-kit-trust<!-- -->.so'''s location in the system, by manually adding it via the “Security Devices” manager in Preferences, or by using the modutil utility.
==Preload the Certificate Databases (new profiles only)==
Some people create a new profile in Firefox, manually install the certificates they need, and then distribute the various db files (''cert9.db'', ''key4.db'' and ''secmod.db'') into new profiles using this method. This is not the recommended approach, and this method only works for new profiles.
==Certutil==
You can use certutil to update the Firefox certificate databases from the command line. Check the [https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil Microsoft support site] for more information.
[[Template:enterprise]]
If your organization uses private certificate authorities (CAs) to issue certificates for your internal servers, browsers such as Firefox might display errors unless you configure them to recognize these private certificates. This should be done early on, so your users won’t have trouble accessing websites.
You can add these CA certificates using one of the following methods.
=Using built-in Windows, macOS, and Android support (recommended)=
By default, Firefox on Windows, macOS, and Android will search for and make use of third-party CAs that have been added to the operating system's certificate store. So, if you have configured your operating system to trust your organizations's private CAs, Firefox should trust those CAs with no additional configuration required. This feature can be controlled in the '''Privacy & Security''' tab of '''about:preferences''' using the ''Allow Firefox to automatically trust third-party root certificates you install'' checkbox. Alternatively, the {pref security.enterprise_roots.enabled} preference in '''about:config''' controls this feature.
==Windows Enterprise Support==
Starting with version 49, Firefox can be configured to automatically search for and import CAs that have been added to the Windows certificate store by a user or administrator.
#[[Template:aboutconfig]]
#Search for the {pref security.enterprise_roots.enabled} preference.
#Click the ''Toggle'' [[Image:Fx71aboutconfig-ToggleButton]] button next to this preference to change its value to {pref true}.
#Restart Firefox.
Firefox will inspect the ''HKLM\SOFTWARE\Microsoft\SystemCertificates'' registry location (corresponding to the API flag ''CERT_SYSTEM_STORE_LOCAL_MACHINE'') for CAs that are trusted to issue certificates for TLS web server authentication. Any such CAs will be imported and trusted by Firefox, although they may not appear in Firefox's certificate manager. Administration of these CAs should occur using built-in Windows tools or other third party utilities.
'''Firefox version 52:''' Firefox will also search the registry locations ''HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates'' and ''HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates'' (corresponding to the API flags ''CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY'' and ''CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE'', respectively).
{note}'''Note:''' This setting only imports certificates from the Windows Trusted Root Certification Authorities store, not corresponding Intermediate Certification Authorities store. See [https://bugzilla.mozilla.org/show_bug.cgi?id=1473573 bug 1473573]. If you are experiencing ''unknown issuer'' errors even after enabling this feature, try configuring your TLS server to include the necessary intermediate certificates in the TLS handshake.{/note}
==macOS Enterprise Support==
Starting with Firefox 63, this feature also works for macOS by importing roots found in the macOS system keychain.
=Using policies to import CA certificates=
Starting with [[Find what version of Firefox you are using|Firefox version]] 64, an [[Customizing Firefox Using Group Policy (Windows)|enterprise policy]] can be used to add CA certificates to Firefox.
*Setting the ''ImportEnterpriseRoots'' key to '''true''' will cause Firefox to trust root certificates. We recommend this option to add trust for a private PKI to Firefox. It is equivalent to setting the {pref security.enterprise_roots.enabled} preference as described in the Built-in Windows and macOS Support section below.
*The ''Install'' key by default will search for certificates in the locations listed below. Starting in Firefox 65, you can specify a fully qualified path (see ''cert3.der'' and ''cert4.pem'' in [https://github.com/mozilla/policy-templates/blob/master/README.md#Certificates this example]). If Firefox does not find something at your fully qualified path, it will search the default directories:
**Windows
***%USERPROFILE%\AppData\Local\Mozilla\Certificates
***%USERPROFILE%\AppData\Roaming\Mozilla\Certificates
**macOS
***/Library/Application Support/Mozilla/Certificates
***~/Library/Application Support/Mozilla/Certificates
**Linux
***/usr/lib/mozilla/certificates
***/usr/lib64/mozilla/certificates
=Linux=
==Using p11-kit-trust<!-- -->.so on Linux==
Certificates can be programmatically imported by using ''p11-kit-trust<!-- -->.so'' from ''p11-kit'' (note that some distributions, such as Red Hat-based ones, already do this by default by shipping ''p11-kit-trust<!-- -->.so'' as ''libnsscbki<!-- -->.so'').
This can be done by setting the [https://github.com/mozilla/policy-templates#securitydevices SecurityDevices policy] in '''/etc/firefox/policies/policies.json''' and adding an entry pointing to ''p11-kit-trust<!-- -->.so'''s location in the system, by manually adding it via the “Security Devices” manager in Preferences, or by using the modutil utility.
==Preload the Certificate Databases (new profiles only)==
Some people create a new profile in Firefox, manually install the certificates they need, and then distribute the various db files (''cert9.db'', ''key4.db'' and ''secmod.db'') into new profiles using this method. This is not the recommended approach, and this method only works for new profiles.
==Certutil==
You can use certutil to update the Firefox certificate databases from the command line. Check the [https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil Microsoft support site] for more information.