We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

为提升您的使用体验,本站正在维护,部分功能暂时无法使用。如果本站文章无法解决您的问题,您想要向社区提问的话,请到 Twitter 上的 @FirefoxSupport 或 Reddit 上的 /r/firefox 提问,我们的支持社区将会很快回复您的疑问。

搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

PKI / CAC certificate issue

  • 5 个回答
  • 2 人有此问题
  • 1 次查看
  • 最后回复者为 guigs

more options

CAC authentication has been enabled, and Firefox sees the certificates. When going to a site that requires this identification, the box does appear and a certificate can be chosen. The setting for "security.remember_cert_checkbox_default_setting:" has been set to "false" because different sites require different certificates (there are 2-3 on the card.)

The problem comes if a user checks the box to "Remember this decision" regardless of whether the correct certificate was chosen. Once the box is checked on a website that requires the identity, the browser stores that somewhere (that is a question I need answered), but that does not negate the need to choose a certificate as the user would think. Instead, it will open the selection window and it will have the remembered cert on top. That would not be bad, except the browser then opens the selection box many times. The one I'm working on now used to ask me to pick a cert one time, now I have to select one SEVEN TIMES before the site loads. Additionally, the site in question refreshes itself periodically and the user has to select the certificate multiple times again. Since we use Firefox due to slow performance of the site in IE, this issue negates the advantage gained.

So my question is how do we remove the decision remembered by the browser?

Things we have tried:

  • SSL cache cleared.
  • Remove personal certificates and restart browser.
  • Reload Certificate Authorities.
  • Reset browser to default state then reload the card readers.
  • Reinstall Firefox
  • Deleting C:\Users\(affected user)\AppData\Local\Mozilla\Firefox <and> C:\Users\(affected user)\AppData\Roaming\Mozilla\Firefox

Any thoughts? What file stores these decisions?

CAC authentication has been enabled, and Firefox sees the certificates. When going to a site that requires this identification, the box does appear and a certificate can be chosen. The setting for "security.remember_cert_checkbox_default_setting:" has been set to "false" because different sites require different certificates (there are 2-3 on the card.) The problem comes if a user checks the box to "Remember this decision" regardless of whether the correct certificate was chosen. Once the box is checked on a website that requires the identity, the browser stores that somewhere (that is a question I need answered), but that does not negate the need to choose a certificate as the user would think. Instead, it will open the selection window and it will have the remembered cert on top. That would not be bad, except the browser then opens the selection box many times. The one I'm working on now used to ask me to pick a cert one time, now I have to select one SEVEN TIMES before the site loads. Additionally, the site in question refreshes itself periodically and the user has to select the certificate multiple times again. Since we use Firefox due to slow performance of the site in IE, this issue negates the advantage gained. So my question is how do we remove the decision remembered by the browser? Things we have tried: *SSL cache cleared. *Remove personal certificates and restart browser. *Reload Certificate Authorities. *Reset browser to default state then reload the card readers. *Reinstall Firefox *Deleting C:\Users\(affected user)\AppData\Local\Mozilla\Firefox <and> C:\Users\(affected user)\AppData\Roaming\Mozilla\Firefox Any thoughts? What file stores these decisions?

由AKjackal于修改

被采纳的解决方案

You can check if you can find a security related pref on the about:config page.

You can try to rename the cert8.db file in the Firefox profile folder to cert8.db.old or delete the cert8.db file to remove intermediate certificates that Firefox has stored.

If that helped to solve the problem then you can remove the renamed cert8.db.old file. Otherwise you can rename (or copy) the cert8.db.old file to cert8.db to restore the previous intermediate certificates. Firefox will automatically store intermediate certificates when you visit websites that send such a certificate.

If that didn't help then remove or rename secmod.db (secmod.db.old) as well.

定位到答案原位置 👍 1

所有回复 (5)

more options

There are two places I would check: Firstly go to about:permissions and search for the site. Clicking to forget the site will remove it from the cache. Secondly, please check the certificate manager, you may be able to remove the cert to reset the setting.

I am also asking in #security to see if we can find this preference.

Edit: Preferences -> Advanced -> Certificates -> View Certificates -> Servers

Thank you.

由guigs于修改

more options

Forgetting the site and removing certs did not fix this. I am thinking it is going to either be a setting in about:config or a cached file somewhere on the hard disk.

more options

选择的解决方案

You can check if you can find a security related pref on the about:config page.

You can try to rename the cert8.db file in the Firefox profile folder to cert8.db.old or delete the cert8.db file to remove intermediate certificates that Firefox has stored.

If that helped to solve the problem then you can remove the renamed cert8.db.old file. Otherwise you can rename (or copy) the cert8.db.old file to cert8.db to restore the previous intermediate certificates. Firefox will automatically store intermediate certificates when you visit websites that send such a certificate.

If that didn't help then remove or rename secmod.db (secmod.db.old) as well.

more options

Ok, I did a bad thing. I did two changes at one time while troubleshooting. While renaming the cert8.db file to a .old extension, I noticed another possible culprit just above it. The file was cert_override.txt and I put a .old on that one also.

So far, I have not gotten the annoying identity checks I was experiencing before. Marked this as answered. Thank you guys/gals!

more options

Yes that is the file that stores the preferences: cert_override.txt

  1. security irc channel confirmed earlier today. cheers!