As an admin can I add certificate exceptions to Firefox for all users?
As an admin in our organization I wanted to add two "Add Exception..." so end users do not have to get a certificate warning and click through to two places.
One is a connection to a systray service, the url is https://127.0.0.1:51763 and to test and validate this service for the web application, one must first click test in the app, then click Advanced and Add Exception on the "Your connection is not secure" page. The second is https://tablet.sigwebtablet.com:47290/SigWeb/ which has a Thawte certificate on it, but still requires clicking through.
This is for an in house financial operating system. The vendor did place our wildcard cert on the main page which works, its just these two service test URLs cause an issue, and since we do not own these certificates, we cannot re-sign them with a trusted Subject Alternative Name.
If I can do this with Firefox CCK or Group Policy, that would be fine. We do have Firefox trust our Windows Certificate store, so maybe there is something we can do already in Group Policy and Windows Certificates? I'm not sure because the cert at 127.0.0.1 is signed by corelation.local and there are NO SAN names on it, so even trying to use GPO's to import it to the Computers Trusted Root Certificates may not be enough.
Thanks.
All Replies (12)
You can check if it works if you set this pref to true on the about:config page in case other software adds its root certificate to the Windows certificate store.
- security.enterprise_roots.enabled = true
See also Certificates:
Izmjenjeno od strane cor-el
Moving to Firefox for Enterprises
Do these warnings not display on other browsers because their are system installed certs?
Ok the sigwebtablet page was fixed by adding this line into our autoconfig.js file we copy via GPO
pref("security.pki.distrust_ca_policy", 0);
The localhost / 127.0.0.1 cert issue is because the vendor does not have a SAN of 127.0.0.1 on the cert. Its actually a small service that pulls the mac address of the computer and makes it available via web api call to identify the device. In a banking core system this information is used to identify the terminal to know what branch it is in, along with what devices it should be connected to (cash drawers, receipt printers, report printers, cash dispensing machines, timezone, branch ID for accounting, device name, etc...)
Because the cert has only one common name on it (corelation.local), it would not be trusted in ANY browser (haven't tried because they only support Firefox).
I was just wondering if a list of addresses, such as 127.0.0.1 could be stored in a file via autoconfig.js or some other means to make Firefox "think" its already stored the exception for this particular cert, and allow it.
However for the time being, our staff is remotely logging onto every single workstation to get this initial setup paired so that the end user will not have to experience this. Its more work, but its the only way we know at the moment.
Domain CA certs from GPO and the Windows Certificate store are already trusted by this line in autoconfig.js
pref("security.enterprise_roots.enabled", true);
> I was just wondering if a list of addresses, such as 127.0.0.1 could be stored in a file via autoconfig.js or some other means to make Firefox "think" its already stored the exception for this particular cert, and allow it.
When you do the override manually, it creates a file called "cert_override.txt" in your profile. Theoretically you could put this file in folks profiles to solve this.
The CCK2 also provides a function that's very similar to what you want. You might check that out and see if it works.
If you'd like to have a further private discussion about this to see if we can help you do this, feel free to email me at mkaply at mozilla.com.
We've used CCK2 in the past prior to Firefox Quantum ESR.
We also have the ADMX/ADML templates loaded in Group Policy. Under Mozilla > Firefox > Certificates we have Import Enterprise Roots enabled. That is the only option in there however. I would have thought like in CCK2 there would be an overrides under certificates.
I'm not sure I can do that with autoconfig.js but I'm going to play with it from a CCK2 installed older firefox 52.6.0 I have in a virtual machine.
This is what our autoconfig.js has now because we can't find it in GPO.
pref("general.config.filename", "cck2.cfg"); pref("security.enterprise_roots.enabled", true); pref("network.automatic-ntlm-auth.trusted-uris", .ourdomainname.com); pref("network.negotiate-auth.trusted-uris", ourdomainname.com); pref("browser.shell.checkDefaultBrowser", false); pref("accessibility.force_disabled", 1); pref("security.pki.distrust_ca_policy", 0);
We need the accessibility.force_disabled because computers with screen recording software (ObserveIT for forensics) cause UI input into websites using Firefox to be excruciatingly slow. I think the other elements are self explanatory. I'll have to head over to the git-hub page and compare whats in our file vs whats available in GPO. If I could do it ALL via GPO that would be preferred. I know this reaches a little further than the original question, but I recognized your thumbnail and name from the CCK2 page. Thank you for your response and thanks for all of your hard work with CCK2 and pushing for enterprise policies for Firefox.
Ah ok per my last post, there is already a GPO Wish list for accessibility.force_disabled. https://github.com/mozilla/policy-templates/issues/284
I will add the rest to #293. https://github.com/mozilla/policy-templates/issues/293
Hey can anyone help me get a cert_override.txt to all users profiles? I can accomplish this using Quest Desktop Authority as a file copy element to copy a master cert_override.txt once to a person's firefox profile. That part is easy, but the difficult part is specifying the destination folder.
For example my firefox profile is at this location C:\Users\myusername\AppData\Roaming\Mozilla\Firefox\Profiles\5lewz3ur.default
Its that random string.default that makes this difficult. How can I determine the users profile name so I can CD into that folder and drop in a cert_override.txt?
Thanks!
Can you read an INI file via the tool? The profile name is in profiles.ini.
C:\Users\myusername\AppData\Roaming\Mozilla\Firefox\Profiles
Ok that may be helpful. The better google search now is vbscript on how to read and parse ini files.
Basically I have to build a small script just to get the folder path into a variable, lets say %firefoxprofile%, so I can copy a default certs_override.txt from a \\domain.com\dfs\share to %userprofile%\Appdata\Roaming\Mozilla\Firefox\Profiles\%firefoxprofile%.
Let me ask you this, what if its the first time a user logged into the computer... would that profile folder even exist? I've installed the latest December .admx/.adml templates and did not see this certs_override.txt as an option, though I didn't expect to, this may be a niche want/need.
Ok so I found an article on stack exchange and I can read the ini file, however the slash is in the wrong direction. In windows a file path needs the slashes to go in this direction \ . However in the ini file its going in this direction /.
ini.bat /s Profile0 /i Path %userprofile%\AppData\Roaming\Mozilla\Firefox\profiles.ini
Profiles/5lewz3ur.default
See the value returned is Profiles/5lewz3ur.default. But I need to get this value into a variable, say %ffprofile% so I can do a copy command to %userprofile%\AppData\Roaming\Mozilla\Firefox\%ffprofile%%.
Next I have to see what happens on a brand new Windows profile. Is this line even filled out, because a new profile hasn't yet launched Firefox for the first time.
Do you have any idea how to make this work? I just need a way to copy our master cert_override.txt from our network share into the firefox profile. Obviously Windows needs a path and the issue here is that the path name is always different. What is 5lewz3ur.default for me could be gxw92421.default for someone else. This is our pain point... that and we cannot do cert_override.txt another way (either admx gpo or autoconfig.js pref declarations).
Izmjenjeno od strane kjstech
Were you able to find a way to do this? I couldn't find anything.