X
Tap here to go to the mobile version of the site.

Support Forum

PKI / CAC certificate issue

Posted

CAC authentication has been enabled, and Firefox sees the certificates. When going to a site that requires this identification, the box does appear and a certificate can be chosen. The setting for "security.remember_cert_checkbox_default_setting:" has been set to "false" because different sites require different certificates (there are 2-3 on the card.)

The problem comes if a user checks the box to "Remember this decision" regardless of whether the correct certificate was chosen. Once the box is checked on a website that requires the identity, the browser stores that somewhere (that is a question I need answered), but that does not negate the need to choose a certificate as the user would think. Instead, it will open the selection window and it will have the remembered cert on top. That would not be bad, except the browser then opens the selection box many times. The one I'm working on now used to ask me to pick a cert one time, now I have to select one SEVEN TIMES before the site loads. Additionally, the site in question refreshes itself periodically and the user has to select the certificate multiple times again. Since we use Firefox due to slow performance of the site in IE, this issue negates the advantage gained.

So my question is how do we remove the decision remembered by the browser?

Things we have tried:

  • SSL cache cleared.
  • Remove personal certificates and restart browser.
  • Reload Certificate Authorities.
  • Reset browser to default state then reload the card readers.
  • Reinstall Firefox
  • Deleting C:\Users\(affected user)\AppData\Local\Mozilla\Firefox <and> C:\Users\(affected user)\AppData\Roaming\Mozilla\Firefox

Any thoughts? What file stores these decisions?

CAC authentication has been enabled, and Firefox sees the certificates. When going to a site that requires this identification, the box does appear and a certificate can be chosen. The setting for "security.remember_cert_checkbox_default_setting:" has been set to "false" because different sites require different certificates (there are 2-3 on the card.) The problem comes if a user checks the box to "Remember this decision" regardless of whether the correct certificate was chosen. Once the box is checked on a website that requires the identity, the browser stores that somewhere (that is a question I need answered), but that does not negate the need to choose a certificate as the user would think. Instead, it will open the selection window and it will have the remembered cert on top. That would not be bad, except the browser then opens the selection box many times. The one I'm working on now used to ask me to pick a cert one time, now I have to select one SEVEN TIMES before the site loads. Additionally, the site in question refreshes itself periodically and the user has to select the certificate multiple times again. Since we use Firefox due to slow performance of the site in IE, this issue negates the advantage gained. So my question is how do we remove the decision remembered by the browser? Things we have tried: *SSL cache cleared. *Remove personal certificates and restart browser. *Reload Certificate Authorities. *Reset browser to default state then reload the card readers. *Reinstall Firefox *Deleting C:\Users\(affected user)\AppData\Local\Mozilla\Firefox <and> C:\Users\(affected user)\AppData\Roaming\Mozilla\Firefox Any thoughts? What file stores these decisions?

Modified by AKjackal

Chosen solution

You can check if you can find a security related pref on the about:config page.

You can try to rename the cert8.db file in the Firefox profile folder to cert8.db.old or delete the cert8.db file to remove intermediate certificates that Firefox has stored.

If that helped to solve the problem then you can remove the renamed cert8.db.old file. Otherwise you can rename (or copy) the cert8.db.old file to cert8.db to restore the previous intermediate certificates. Firefox will automatically store intermediate certificates when you visit websites that send such a certificate.

If that didn't help then remove or rename secmod.db (secmod.db.old) as well.

Read this answer in context 1

Additional System Details

Application

  • User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3; .NET4.0C; .NET4.0E; rv:11.0) like Gecko

More Information

Application Basics
------------------
Name: Firefox
Version: 31.0
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Crash Reports for the Last 3 Days
---------------------------------
All Crash Reports
Extensions
----------
Name: DoD Configuration
Version: 1.3.6
Enabled: true
ID: {d15c1608-ba3e-4aa0-aa6f-aa9337226087}
Name: Adobe Acrobat - Create PDF
Version: 2.0
Enabled: false
ID: web2pdfextension@web2pdf.adobedotcom
Name: IDS_SS_NAME
Version: IDS_SS_VERSION
Enabled: false
ID: {D19CA586-DD6C-4a0a-96F8-14644F340D60}
Graphics
--------
Adapter Description: ATI Radeon HD 3400 Series
Adapter Drivers: aticfx64 aticfx64 aticfx32 aticfx32 atiumd64 atidxx64 atiumdag atidxx32 atiumdva atiumd6a atitmm64
Adapter RAM: 256
Device ID: 0x95c0
Direct2D Enabled: true
DirectWrite Enabled: true (6.2.9200.16492)
Driver Date: 4-19-2011
Driver Version: 8.850.0.0
GPU #2 Active: false
GPU Accelerated Windows: 1/1 Direct3D 10
Vendor ID: 0x1002
WebGL Renderer: Google Inc. -- ANGLE (ATI Radeon HD 3400 Series Direct3D9Ex vs_3_0 ps_3_0)
windowLayerManagerRemote: false
AzureCanvasBackend: direct2d
AzureContentBackend: direct2d
AzureFallbackCanvasBackend: cairo
AzureSkiaAccelerated: 0
Important Modified Preferences
------------------------------
accessibility.typeaheadfind.flashBar: 0
browser.cache.disk.capacity: 358400
browser.cache.disk.smart_size_cached_value: 358400
browser.cache.disk.smart_size.first_run: false
browser.cache.disk.smart_size.use_old_max: false
browser.cache.frecency_experiment: 4
browser.places.smartBookmarksVersion: 7
browser.sessionstore.upgradeBackup.latestBuildID: 20140716183446
browser.startup.homepage_override.buildID: 20140716183446
browser.startup.homepage_override.mstone: 31.0
dom.mozApps.used: true
extensions.lastAppVersion: 31.0
font.internaluseonly.changed: true
gfx.direct3d.last_used_feature_level_idx: 0
javascript.allow.mailnews: false
network.cookie.prefsMigrated: true
places.database.lastMaintenance: 1407516564
places.history.expiration.transient_current_max_pages: 104858
plugin.disable_full_page_plugin_for_types: application/pdf
plugin.importedState: true
print.printer_[B/W]_HP_LJ_8150.print_bgcolor: false
print.printer_[B/W]_HP_LJ_8150.print_bgimages: false
print.printer_[B/W]_HP_LJ_8150.print_colorspace:
print.printer_[B/W]_HP_LJ_8150.print_command:
print.printer_[B/W]_HP_LJ_8150.print_downloadfonts: false
print.printer_[B/W]_HP_LJ_8150.print_duplex: -853431240
print.printer_[B/W]_HP_LJ_8150.print_edge_bottom: 0
print.printer_[B/W]_HP_LJ_8150.print_edge_left: 0
print.printer_[B/W]_HP_LJ_8150.print_edge_right: 0
print.printer_[B/W]_HP_LJ_8150.print_edge_top: 0
print.printer_[B/W]_HP_LJ_8150.print_evenpages: true
print.printer_[B/W]_HP_LJ_8150.print_footercenter:
print.printer_[B/W]_HP_LJ_8150.print_footerleft: &PT
print.printer_[B/W]_HP_LJ_8150.print_footerright: &D
print.printer_[B/W]_HP_LJ_8150.print_headercenter:
print.printer_[B/W]_HP_LJ_8150.print_headerleft: &T
print.printer_[B/W]_HP_LJ_8150.print_headerright: &U
print.printer_[B/W]_HP_LJ_8150.print_in_color: true
print.printer_[B/W]_HP_LJ_8150.print_margin_bottom: 0.5
print.printer_[B/W]_HP_LJ_8150.print_margin_left: 0.5
print.printer_[B/W]_HP_LJ_8150.print_margin_right: 0.5
print.printer_[B/W]_HP_LJ_8150.print_margin_top: 0.5
print.printer_[B/W]_HP_LJ_8150.print_oddpages: true
print.printer_[B/W]_HP_LJ_8150.print_orientation: 0
print.printer_[B/W]_HP_LJ_8150.print_page_delay: 50
print.printer_[B/W]_HP_LJ_8150.print_paper_data: 1
print.printer_[B/W]_HP_LJ_8150.print_paper_height: 11.00
print.printer_[B/W]_HP_LJ_8150.print_paper_name:
print.printer_[B/W]_HP_LJ_8150.print_paper_size_type: 0
print.printer_[B/W]_HP_LJ_8150.print_paper_size_unit: 0
print.printer_[B/W]_HP_LJ_8150.print_paper_width: 8.50
print.printer_[B/W]_HP_LJ_8150.print_plex_name:
print.printer_[B/W]_HP_LJ_8150.print_resolution: 0
print.printer_[B/W]_HP_LJ_8150.print_resolution_name:
print.printer_[B/W]_HP_LJ_8150.print_reversed: false
print.printer_[B/W]_HP_LJ_8150.print_scaling: 1.00
print.printer_[B/W]_HP_LJ_8150.print_shrink_to_fit: true
print.printer_[B/W]_HP_LJ_8150.print_to_file: false
print.printer_[B/W]_HP_LJ_8150.print_unwriteable_margin_bottom: 0
print.printer_[B/W]_HP_LJ_8150.print_unwriteable_margin_left: 0
print.printer_[B/W]_HP_LJ_8150.print_unwriteable_margin_right: 0
print.printer_[B/W]_HP_LJ_8150.print_unwriteable_margin_top: 0
print.printer_Adobe_PDF.print_bgcolor: false
print.printer_Adobe_PDF.print_bgimages: false
print.printer_Adobe_PDF.print_colorspace:
print.printer_Adobe_PDF.print_command:
print.printer_Adobe_PDF.print_downloadfonts: false
print.printer_Adobe_PDF.print_duplex: -853431240
print.printer_Adobe_PDF.print_edge_bottom: 0
print.printer_Adobe_PDF.print_edge_left: 0
print.printer_Adobe_PDF.print_edge_right: 0
print.printer_Adobe_PDF.print_edge_top: 0
print.printer_Adobe_PDF.print_evenpages: true
print.printer_Adobe_PDF.print_footercenter:
print.printer_Adobe_PDF.print_footerleft: &PT
print.printer_Adobe_PDF.print_footerright: &D
print.printer_Adobe_PDF.print_headercenter:
print.printer_Adobe_PDF.print_headerleft: &T
print.printer_Adobe_PDF.print_headerright: &U
print.printer_Adobe_PDF.print_in_color: true
print.printer_Adobe_PDF.print_margin_bottom: 0.5
print.printer_Adobe_PDF.print_margin_left: 0.5
print.printer_Adobe_PDF.print_margin_right: 0.5
print.printer_Adobe_PDF.print_margin_top: 0.5
print.printer_Adobe_PDF.print_oddpages: true
print.printer_Adobe_PDF.print_orientation: 0
print.printer_Adobe_PDF.print_page_delay: 50
print.printer_Adobe_PDF.print_paper_data: 1
print.printer_Adobe_PDF.print_paper_height: 11.00
print.printer_Adobe_PDF.print_paper_name:
print.printer_Adobe_PDF.print_paper_size_type: 0
print.printer_Adobe_PDF.print_paper_size_unit: 0
print.printer_Adobe_PDF.print_paper_width: 8.50
print.printer_Adobe_PDF.print_plex_name:
print.printer_Adobe_PDF.print_resolution: 0
print.printer_Adobe_PDF.print_resolution_name:
print.printer_Adobe_PDF.print_reversed: false
print.printer_Adobe_PDF.print_scaling: 1.00
print.printer_Adobe_PDF.print_shrink_to_fit: true
print.printer_Adobe_PDF.print_to_file: false
print.printer_Adobe_PDF.print_unwriteable_margin_bottom: 0
print.printer_Adobe_PDF.print_unwriteable_margin_left: 0
print.printer_Adobe_PDF.print_unwriteable_margin_right: 0
print.printer_Adobe_PDF.print_unwriteable_margin_top: 0
privacy.cpd.offlineApps: true
privacy.cpd.siteSettings: true
privacy.sanitize.migrateFx3Prefs: true
privacy.sanitize.timeSpan: 0
security.disable_button.openCertManager: false
security.disable_button.openDeviceManager: false
security.remember_cert_checkbox_default_setting: false
storage.vacuum.last.index: 1
storage.vacuum.last.places.sqlite: 1406652111
JavaScript
----------
Incremental GC: true
Accessibility
-------------
Activated: false
Prevent Accessibility: 0
Library Versions
----------------
NSPR
Expected minimum version: 4.10.6
Version in use: 4.10.6
NSS
Expected minimum version: 3.16.2 Basic ECC
Version in use: 3.16.2 Basic ECC
NSSSMIME
Expected minimum version: 3.16.2 Basic ECC
Version in use: 3.16.2 Basic ECC
NSSSSL
Expected minimum version: 3.16.2 Basic ECC
Version in use: 3.16.2 Basic ECC
NSSUTIL
Expected minimum version: 3.16.2
Version in use: 3.16.2
Experimental Features
---------------------

guigs2
  • Top 10 Contributor
  • Administrator
  • Moderator
665 solutions 7515 answers

There are two places I would check: Firstly go to about:permissions and search for the site. Clicking to forget the site will remove it from the cache. Secondly, please check the certificate manager, you may be able to remove the cert to reset the setting.

I am also asking in #security to see if we can find this preference.

Edit: Preferences -> Advanced -> Certificates -> View Certificates -> Servers

Thank you.

There are two places I would check: Firstly go to about:permissions and search for the site. Clicking to forget the site will remove it from the cache. Secondly, please check the certificate manager, you may be able to remove the cert to reset the setting. I am also asking in #security to see if we can find this preference. Edit: Preferences -> Advanced -> Certificates -> View Certificates -> Servers Thank you.

Modified by guigs2

Question owner

Forgetting the site and removing certs did not fix this. I am thinking it is going to either be a setting in about:config or a cached file somewhere on the hard disk.

Forgetting the site and removing certs did not fix this. I am thinking it is going to either be a setting in about:config or a cached file somewhere on the hard disk.
cor-el
  • Top 10 Contributor
  • Moderator
12300 solutions 113913 answers

Chosen Solution

You can check if you can find a security related pref on the about:config page.

You can try to rename the cert8.db file in the Firefox profile folder to cert8.db.old or delete the cert8.db file to remove intermediate certificates that Firefox has stored.

If that helped to solve the problem then you can remove the renamed cert8.db.old file. Otherwise you can rename (or copy) the cert8.db.old file to cert8.db to restore the previous intermediate certificates. Firefox will automatically store intermediate certificates when you visit websites that send such a certificate.

If that didn't help then remove or rename secmod.db (secmod.db.old) as well.

You can check if you can find a security related pref on the <b>about:config</b> page. You can try to rename the cert8.db file in the Firefox profile folder to cert8.db.old or delete the cert8.db file to remove intermediate certificates that Firefox has stored. If that helped to solve the problem then you can remove the renamed cert8.db.old file. Otherwise you can rename (or copy) the cert8.db.old file to cert8.db to restore the previous intermediate certificates. Firefox will automatically store intermediate certificates when you visit websites that send such a certificate. If that didn't help then remove or rename secmod.db (secmod.db.old) as well.

Question owner

Ok, I did a bad thing. I did two changes at one time while troubleshooting. While renaming the cert8.db file to a .old extension, I noticed another possible culprit just above it. The file was cert_override.txt and I put a .old on that one also.

So far, I have not gotten the annoying identity checks I was experiencing before. Marked this as answered. Thank you guys/gals!

Ok, I did a bad thing. I did two changes at one time while troubleshooting. While renaming the cert8.db file to a .old extension, I noticed another possible culprit just above it. The file was cert_override.txt and I put a .old on that one also. So far, I have not gotten the annoying identity checks I was experiencing before. Marked this as answered. Thank you guys/gals!
guigs2
  • Top 10 Contributor
  • Administrator
  • Moderator
665 solutions 7515 answers

Yes that is the file that stores the preferences: cert_override.txt

  1. security irc channel confirmed earlier today. cheers!
Yes that is the file that stores the preferences: cert_override.txt #security irc channel confirmed earlier today. cheers!