Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

Trang web này sẽ có chức năng hạn chế trong khi chúng tôi trải qua bảo trì để cải thiện trải nghiệm của bạn. Nếu một bài viết không giải quyết được vấn đề của bạn và bạn muốn đặt câu hỏi, chúng tôi có cộng đồng hỗ trợ của chúng tôi đang chờ để giúp bạn tại @FirefoxSupport trên Twitter và /r/firefox trên Reddit.

Tìm kiếm hỗ trợ

Tránh các lừa đảo về hỗ trợ. Chúng tôi sẽ không bao giờ yêu cầu bạn gọi hoặc nhắn tin đến số điện thoại hoặc chia sẻ thông tin cá nhân. Vui lòng báo cáo hoạt động đáng ngờ bằng cách sử dụng tùy chọn "Báo cáo lạm dụng".

Tìm hiểu thêm

can't deploy private CA with GPO

  • 18 trả lời
  • 5 gặp vấn đề này
  • 9 lượt xem
  • Trả lời mới nhất được viết bởi Mike Kaply

more options

Hi all

I'm trying to deploy my public CA to my Firefox on Windows enviroment. We need because I have set up a SSL inspection that resign public certs of websites in order to perform inspection.

The CA cert is deployed through a GPO to every computer's store, and then, a policy from custom Firefox ESR admx's is telling clients to use Windows certificate store. But no way is working. I can't see the cert imported.

My public CA cert is deployed in the store, inside the folders you can see in the screen and i checked every computer had received it correctly.

Please help!! Thanks

Hi all I'm trying to deploy my public CA to my Firefox on Windows enviroment. We need because I have set up a SSL inspection that resign public certs of websites in order to perform inspection. The CA cert is deployed through a GPO to every computer's store, and then, a policy from custom Firefox ESR admx's is telling clients to use Windows certificate store. But no way is working. I can't see the cert imported. My public CA cert is deployed in the store, inside the folders you can see in the screen and i checked every computer had received it correctly. Please help!! Thanks
Đính kèm ảnh chụp màn hình

Tất cả các câu trả lời (18)

more options

Hello Dark345,

You posted this 5 days ago and haven't received any response yet (sorry .... )

I am a complete layman in this area, but my posting here just might promp the experts to come up with a perfect solution for you .....

In the mean time : this article is all I could find, and may not even come close to what you are looking for :

https://www.techrepublic.com/article/how-to-add-a-trusted-certificate-authority-certificate-to-chrome-and-firefox/

more options

unfortunately modifying security.enterprise_roots.enabled to TRUE is a legacy solution, it seems. Now with new Firefox ESR 60.X it can be deployed using Windows GPO.

Infact, setting the GPO to enabled, as I did, it triggers security.enterprise_roots.enabled to be TRUE and locked. But my certificates aren't imported.

more options

So a couple things could be going on here.

1. We weren't reading intermediate certificates from the Windows store (this has been fixed).

2. It could be a client certificate?

Could you try a currently nightly Firefox build and see if it's still a a problem? If so, we might want to look at the cert.

Thanks.

more options

See also:

Maybe also check the Browser Console for related message (don't know whether GPO errors show in this console).

more options

what do you mean by: 2. It could be a client certificate?

Do I have to import certificates in Computer's o User's store?

For the moment I'm off, I will try to log something in next weekend

more options

> what do you mean by: 2. It could be a client certificate?

It's probably not if you don't know what I meant :)

> Do I have to import certificates in Computer's o User's store?

Yes, and it sounds like you already have. The certificates from the OS will not show up in Firefox, they will just work.

more options

Yes, and it sounds like you already have. The certificates from the OS will not show up in Firefox, they will just work. </blockquote>

No, I mean, do Firefox read from User OR Computer store? Or both? Windows has two stores.

more options

> No, I mean, do Firefox read from User OR Computer store? Or both? Windows has two stores.

It should read from both. But you won't see them in Firefox settings.

more options

Maybe I figured it out... I placed my (intermediate) root CA public cert into the Computer's Personal Store, and now it seems to work..

Am I right to assume Firefox reads from the Personal store only, and not from the others ?

more options

We only read added certs, not built in certs, yes.

But it should read from the computer store.

more options

it's working on a W10 workstation, but on W7 clients not working, no matter where I put my certs

more options

What does about:policies show on your Windows 7 machines?

more options

It says it can't display the page

more options

about:policies requires Firefox 63 or later, so if these devices use Firefox 60 ESR then about:policies isn't available. This only leaves the Browser Console and the about:config to check the state of security.enterprise_roots.enabled and possibly the Certificate Manager.

more options

I tried both, no luck in finding some logs concerning the enforced policy..

more options

Dark345: So where are you with things right now? What's still not working?

more options

still no luck. GPO is active, w7 clients refused to load from windows computer store, I tried everything. i will try to load from a file instead.

more options

That's really odd. I'm betting it's related to intermediate certs. Would you consider opening a bugzilla bug so we could debug? We can provide instructions on how to log.

https://developer.mozilla.org/en-US/docs/Mozilla/Developer_guide/Gecko_Logging

set MOZ_LOG=pipnss:4,certverifier:4 set MOZ_LOG_FILE="c:\logs\log.txt"

See:

https://github.com/mozilla/policy-templates/issues/291