Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Deploy certificate for all users of Firefox using Microsoft's Group Policy

  • 4 replies
  • 45 have this problem
  • 1 view
  • Last reply by cor-el

more options

Hi, I'm a network admin for a school (~900 computers and ~1600 users) and need to deploy a certificate so that any user on any computer trusts it.

We are mostly WinXPSP3 and have IE8 and FF3.6 as part of our image. We installed a new web filter/proxy that is able to filter HTTPS (most can't) which means all HTTPS traffic now goes to this server which then makes the request to the Internet ie the user's computer never connects directly to the web server. Without anything being done the user is presented with the usual Firefox warning saying the website eg Internet banking isn't trusted and asks if the user wants to continue. This is because they are connecting to the proxy not the web server. To get around this the user must trust the certificate from the proxy. The user never sees the certificate from the web server but the proxy will check the web server's certificate to ensure it is valid.

Using Group Policy we have deployed this trusted certificate to all computers and this allows IE, Safari, Opera and Chrome to work as they use the certificates with IE. But Firefox works completely differently and has it's own certificate database in %userprofile%\Applcation Data\Mozilla\Firefox\Profile\xxxxx.default\cert8.db.

We could create a base cert8.db file and copy it to the user's folder but there are 2 problems with this - 1) the xxxxx.default folder is not always the same and 2) it would overwrite the user's existing file which would erase any certificates they'd installed.

We could create a new SOE image with the certificate installed but that would mean rebuilding ~900 computers and is therefore not a valid option.

We need to find a way to deploy this certificate to all computers which would allow any user to be able to trust it. How can this be accomplished?

Hi, I'm a network admin for a school (~900 computers and ~1600 users) and need to deploy a certificate so that any user on any computer trusts it. We are mostly WinXPSP3 and have IE8 and FF3.6 as part of our image. We installed a new web filter/proxy that is able to filter HTTPS (most can't) which means all HTTPS traffic now goes to this server which then makes the request to the Internet ie the user's computer never connects directly to the web server. Without anything being done the user is presented with the usual Firefox warning saying the website eg Internet banking isn't trusted and asks if the user wants to continue. This is because they are connecting to the proxy not the web server. To get around this the user must trust the certificate from the proxy. The user never sees the certificate from the web server but the proxy will check the web server's certificate to ensure it is valid. Using Group Policy we have deployed this trusted certificate to all computers and this allows IE, Safari, Opera and Chrome to work as they use the certificates with IE. But Firefox works completely differently and has it's own certificate database in %userprofile%\Applcation Data\Mozilla\Firefox\Profile\xxxxx.default\cert8.db. We could create a base cert8.db file and copy it to the user's folder but there are 2 problems with this - 1) the xxxxx.default folder is not always the same and 2) it would overwrite the user's existing file which would erase any certificates they'd installed. We could create a new SOE image with the certificate installed but that would mean rebuilding ~900 computers and is therefore not a valid option. We need to find a way to deploy this certificate to all computers which would allow any user to be able to trust it. How can this be accomplished?

All Replies (4)

more options

I have the same problem too. I need to deploy a certificate for 2,000 computers using Firefox and I hope I do not have to do them manually. Please need help.

more options

The link below provides a batch file and a VB script for automating the FF certificate install process which should not overwrite the existing file and should take into account the profile names. Let us know if you have good success with it!

http://www.appdeploy.com/messageboards/tm.asp?m=52532

Thanks!

more options

How are you handling Safari on Macs, can you do a GPO to a Mac?

Also, what about BYOD initiatives with guest users bringing in iOS, Android, etc devices?

more options