This thread was archived. Please ask a new question if you need help.
Enable HPKP for internal CA
I know that: Firefox and Chrome disable pin validation for pinned hosts whose validated certificate chain terminates at a user-defined trust anchor (rather than a built-in trust anchor). This means that for users who imported custom root certificates all pinning violations are ignored. (https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning)
However there are settings that seem to override that and force user-defined CA be checked against hpkp:
The pinning level is enforced by a pref, security.cert_pinning.enforcement_level
0. Pinning disabled 1. Allow User MITM (pinning not enforced if the trust anchor is a user inserted CA, default) 2. Strict. Pinning is always enforced. 3. Enforce test mode.
Tried to set to "3", but that still does not allow certs issued by internal CA to be protected using HPKP: Public-Key-Pins: The certificate used by the site was not issued by a certificate in the default root certificate store. To prevent accidental breakage, the specified header was ignored.
Is there a way to force FF to protect internal certs too?
Modified by gwint