X
Tap here to go to the mobile version of the site.

Support Forum

Firefox still won't work, Zscaler & corporate certificate

Posted

This has been a problem for a long time. I found a solution a year or so ago, but had to stop using Firefox until recently. I simply can't remember or find that solution now. There were lots of certificate workarounds, but then I came across a solution that was a beta setting in Firefox that solved it. That's what I can't find now.

Basically a lot of websites give me the "Your connection is not secure" message, due to the fact that my computer is using the corporate certificates, so Firefox assumes it's a bad cert. I love and want to use FF, but it's the only browser that can't figure this out. Anyway, like I said above, there was a beta setting a long time ago, and I can't remember or find it now. It fixed this "problem" and allowed me to use FF at work.

TIA!

This has been a problem for a long time. I found a solution a year or so ago, but had to stop using Firefox until recently. I simply can't remember or find that solution now. There were lots of certificate workarounds, but then I came across a solution that was a beta setting in Firefox that solved it. That's what I can't find now. Basically a lot of websites give me the "Your connection is not secure" message, due to the fact that my computer is using the corporate certificates, so Firefox assumes it's a bad cert. I love and want to use FF, but it's the only browser that can't figure this out. Anyway, like I said above, there was a beta setting a long time ago, and I can't remember or find it now. It fixed this "problem" and allowed me to use FF at work. TIA!

Chosen solution

Hi dynatot, importing only requires one-time setup (unless/until you use the Refresh feature), but yes, there is a second way in recent versions of Firefox.

If you want Firefox to trust certificates signed by the ZScaler proxy you'll either need to:

(1) Import the signing certificate into the Authorities tab of Firefox's Certificate Manager.

(A) If you do not already have a certificate file ready to import, you can export it from IE or Chrome.

  • This may appear in IE's Certificates dialog (first screenshot example) OR it may appear when you view the certificate details on any secure page you load in IE/chrome (second screenshot example -- you need to open the certificate you want to export, which is not the individual page's certificate)
  • The Export or Copy to file button starts the Export Wizard. Use the DER format and save to a convenient location (third and fourth screenshot examples).

(B) When finished with all the necessary exports to complete the chain in the Certification Path, you can import the certificates into the Firefox Authorities tab:

  • Windows: "3-bar" menu button (or Tools menu) > Options
  • Mac: "3-bar" menu button (or Firefox menu) > Preferences
  • Linux: "3-bar" menu button (or Edit menu) > Preferences
  • Any system: type or paste about:preferences into the address bar and press Enter/Return to load it

In the search box at the top of the page, type cert and Firefox should filter the list. Click "View Certificates" to open the Certificate Manager and click the "Authorities" tab. Then you can use the "Import" button to import the proxy server's certificate. (Fourth and fifth screenshots.)

When asked, I suggest allowing the certificate for websites only unless your IT suggests otherwise.

It's a bit of pain, but the advantage of that approach is that you are making the minimal compromise of security.

(2) If the signing certificate is in the Windows certificate store (for example, IE and Chrome trust it), you could set Firefox to trust everything that Internet Explorer trusts by having it check for authority certificates in the Windows certificate store.

This is easier, but the downside is that any successful attack on the Windows certificate store (bogus authority certificates inserted there by malware) will affect Firefox, too.

(A) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful.

(B) In the search box above the list, type or paste root and pause while the list is filtered

(C) Double-click the security.enterprise_roots.enabled preference to switch the value from false to true

I'm not sure whether that will start working immediately or after the next time to exit Firefox and start it up again.

Read this answer in context 2

Additional System Details

Application

  • User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0

More Information

user1929 72 solutions 290 answers

Hi,

In order to fix this, you need to get a copy of the root certificate file that your company is using, and import it into Firefox. This post describes how to do that: https://support.mozilla.org/en-US/questions/1194482#answer-1049259 . Can you try out the instructions there, and see if that works?

Hi, In order to fix this, you need to get a copy of the root certificate file that your company is using, and import it into Firefox. This post describes how to do that: https://support.mozilla.org/en-US/questions/1194482#answer-1049259 . Can you try out the instructions there, and see if that works?

Question owner

Thanks for the suggestion. That's actually a solution I've tried in the past, and if I have to I'll do that again. But there was an actual setting / toggle that was something much simpler that they introduced as somewhat of a beta or "buried" feature that fixed this internally as opposed to doing a "workaround". That's what I'm trying to find. Sorry if I wasn't more clear.

Thanks for the suggestion. That's actually a solution I've tried in the past, and if I have to I'll do that again. But there was an actual setting / toggle that was something much simpler that they introduced as somewhat of a beta or "buried" feature that fixed this internally as opposed to doing a "workaround". That's what I'm trying to find. Sorry if I wasn't more clear.
jscher2000
  • Top 10 Contributor
8569 solutions 70082 answers

Chosen Solution

Hi dynatot, importing only requires one-time setup (unless/until you use the Refresh feature), but yes, there is a second way in recent versions of Firefox.

If you want Firefox to trust certificates signed by the ZScaler proxy you'll either need to:

(1) Import the signing certificate into the Authorities tab of Firefox's Certificate Manager.

(A) If you do not already have a certificate file ready to import, you can export it from IE or Chrome.

  • This may appear in IE's Certificates dialog (first screenshot example) OR it may appear when you view the certificate details on any secure page you load in IE/chrome (second screenshot example -- you need to open the certificate you want to export, which is not the individual page's certificate)
  • The Export or Copy to file button starts the Export Wizard. Use the DER format and save to a convenient location (third and fourth screenshot examples).

(B) When finished with all the necessary exports to complete the chain in the Certification Path, you can import the certificates into the Firefox Authorities tab:

  • Windows: "3-bar" menu button (or Tools menu) > Options
  • Mac: "3-bar" menu button (or Firefox menu) > Preferences
  • Linux: "3-bar" menu button (or Edit menu) > Preferences
  • Any system: type or paste about:preferences into the address bar and press Enter/Return to load it

In the search box at the top of the page, type cert and Firefox should filter the list. Click "View Certificates" to open the Certificate Manager and click the "Authorities" tab. Then you can use the "Import" button to import the proxy server's certificate. (Fourth and fifth screenshots.)

When asked, I suggest allowing the certificate for websites only unless your IT suggests otherwise.

It's a bit of pain, but the advantage of that approach is that you are making the minimal compromise of security.

(2) If the signing certificate is in the Windows certificate store (for example, IE and Chrome trust it), you could set Firefox to trust everything that Internet Explorer trusts by having it check for authority certificates in the Windows certificate store.

This is easier, but the downside is that any successful attack on the Windows certificate store (bogus authority certificates inserted there by malware) will affect Firefox, too.

(A) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful.

(B) In the search box above the list, type or paste root and pause while the list is filtered

(C) Double-click the security.enterprise_roots.enabled preference to switch the value from false to true

I'm not sure whether that will start working immediately or after the next time to exit Firefox and start it up again.

Hi dynatot, importing only requires one-time setup (unless/until you use the Refresh feature), but yes, there is a second way in recent versions of Firefox. If you want Firefox to trust certificates signed by the ZScaler proxy you'll either need to: (1) Import the signing certificate into the Authorities tab of Firefox's Certificate Manager. (A) If you do not already have a certificate file ready to import, you can export it from IE or Chrome. * This may appear in IE's Certificates dialog (first screenshot example) OR it may appear when you view the certificate details on any secure page you load in IE/chrome (second screenshot example -- you need to open the certificate you want to export, which is not the individual page's certificate) * The Export or Copy to file button starts the Export Wizard. Use the DER format and save to a convenient location (third and fourth screenshot examples). (B) When finished with all the necessary exports to complete the chain in the Certification Path, you can import the certificates into the Firefox Authorities tab: * Windows: "3-bar" menu button (or Tools menu) > Options * Mac: "3-bar" menu button (or Firefox menu) > Preferences * Linux: "3-bar" menu button (or Edit menu) > Preferences * Any system: type or paste '''about:preferences''' into the address bar and press Enter/Return to load it In the search box at the top of the page, type ''cert'' and Firefox should filter the list. Click "View Certificates" to open the Certificate Manager and click the "Authorities" tab. Then you can use the "Import" button to import the proxy server's certificate. (Fourth and fifth screenshots.) ''When asked, I suggest allowing the certificate for websites only unless your IT suggests otherwise.'' It's a bit of pain, but the advantage of that approach is that you are making the minimal compromise of security. (2) If the signing certificate is in the Windows certificate store (for example, IE and Chrome trust it), you could set Firefox to trust everything that Internet Explorer trusts by having it check for authority certificates in the Windows certificate store. This is easier, but the downside is that any successful attack on the Windows certificate store (bogus authority certificates inserted there by malware) will affect Firefox, too. (A) In a new tab, type or paste '''about:config''' in the address bar and press Enter/Return. Click the button promising to be careful. (B) In the search box above the list, type or paste '''root''' and pause while the list is filtered (C) Double-click the '''security.enterprise_roots.enabled''' preference to switch the value from false to true I'm not sure whether that will start working immediately or after the next time to exit Firefox and start it up again.

Question owner

jscher2000 - #2 was it. Thank you very much.

I know I marked this as answered, but the only other issue is Sync won't let me sign in. It acts as if there's no internet connection, though I know it's related to the certificate issue...

jscher2000 - #2 was it. Thank you very much. I know I marked this as answered, but the only other issue is Sync won't let me sign in. It acts as if there's no internet connection, though I know it's related to the certificate issue...
jscher2000
  • Top 10 Contributor
8569 solutions 70082 answers

Helpful Reply

dynatot said

I know I marked this as answered, but the only other issue is Sync won't let me sign in. It acts as if there's no internet connection, though I know it's related to the certificate issue...

Even after making the settings change you can't connect? It's strange that Sync wouldn't follow the same pattern. Or could there be some other issue...

Any problem accessing this site in a tab:

https://accounts.firefox.com/signin

''dynatot [[#answer-1064937|said]]'' <blockquote> I know I marked this as answered, but the only other issue is Sync won't let me sign in. It acts as if there's no internet connection, though I know it's related to the certificate issue... </blockquote> Even after making the settings change you can't connect? It's strange that Sync wouldn't follow the same pattern. Or could there be some other issue... Any problem accessing this site in a tab: https://accounts.firefox.com/signin

Question owner

jscher2000 said

dynatot said
I know I marked this as answered, but the only other issue is Sync won't let me sign in. It acts as if there's no internet connection, though I know it's related to the certificate issue...

Even after making the settings change you can't connect? It's strange that Sync wouldn't follow the same pattern. Or could there be some other issue...

Any problem accessing this site in a tab:

https://accounts.firefox.com/signin

That link worked - then after I did that, I was able to log in through settings. Now it just constantly signs me out and asks me to log in again.

For what it's worth, my corporate network requires that I sign into my corporate profile upon a new browser refresh, for any sites to work. So I'm wondering if the sign-in/sync is being hindered by that - since I can't do that for whatever "portal" the sync is using... if that makes any sense from my layman's language!

''jscher2000 [[#answer-1064977|said]]'' <blockquote> ''dynatot [[#answer-1064937|said]]'' <blockquote> I know I marked this as answered, but the only other issue is Sync won't let me sign in. It acts as if there's no internet connection, though I know it's related to the certificate issue... </blockquote> Even after making the settings change you can't connect? It's strange that Sync wouldn't follow the same pattern. Or could there be some other issue... Any problem accessing this site in a tab: https://accounts.firefox.com/signin </blockquote> That link worked - then after I did that, I was able to log in through settings. Now it just constantly signs me out and asks me to log in again. For what it's worth, my corporate network requires that I sign into my corporate profile upon a new browser refresh, for any sites to work. So I'm wondering if the sign-in/sync is being hindered by that - since I can't do that for whatever "portal" the sync is using... if that makes any sense from my layman's language!
jscher2000
  • Top 10 Contributor
8569 solutions 70082 answers

dynatot said

For what it's worth, my corporate network requires that I sign into my corporate profile upon a new browser refresh, for any sites to work. So I'm wondering if the sign-in/sync is being hindered by that - since I can't do that for whatever "portal" the sync is using... if that makes any sense from my layman's language!

That could be relevant. Do you mean, if you close all Firefox windows you need to sign in again, or do you need to do it more often than that?

''dynatot [[#answer-1064993|said]]'' <blockquote> For what it's worth, my corporate network requires that I sign into my corporate profile upon a new browser refresh, for any sites to work. So I'm wondering if the sign-in/sync is being hindered by that - since I can't do that for whatever "portal" the sync is using... if that makes any sense from my layman's language! </blockquote> That could be relevant. Do you mean, if you close all Firefox windows you need to sign in again, or do you need to do it more often than that?

Question owner

jscher2000 said

That could be relevant. Do you mean, if you close all Firefox windows you need to sign in again, or do you need to do it more often than that?

Not quite - and not that often. If I clear all cookies, I have to log in again for example.

''jscher2000 [[#answer-1064994|said]]'' <blockquote> That could be relevant. Do you mean, if you close all Firefox windows you need to sign in again, or do you need to do it more often than that? </blockquote> Not quite - and not that often. If I clear all cookies, I have to log in again for example.

Question owner

And now this morning I'm discovering two other quirks that feel similar to the syncing log-in issue.

  1. 1 - When you go to the "Get Add-Ons" page, it won't let me add an extension or add-on there.
  1. 2 - I was able to solve #1 by going to the url: https://addons.mozilla.org/en-US/ | But add-ons that need to log in, like Last Pass, won't log in.

@jscher2000 - Going back to your original solution, I never did #1 - only #2. Do you think if I did #1 that could help with these connections that appear to be going through a different "path"?

And now this morning I'm discovering two other quirks that feel similar to the syncing log-in issue. #1 - When you go to the "Get Add-Ons" page, it won't let me add an extension or add-on there. #2 - I was able to solve #1 by going to the url: https://addons.mozilla.org/en-US/ | But add-ons that need to log in, like Last Pass, won't log in. @jscher2000 - Going back to your original solution, I never did #1 - only #2. Do you think if I did #1 that could help with these connections that appear to be going through a different "path"?

Question owner

To add to the last comment - I went ahead and imported the certificates. Here's what I did / found:

  • The global and global root certificates were already there
  • I imported a handful of other trusted certificates that appeared directly related to zscaler and my corporate security, to no avail
  • I noticed that Chrome evidently uses Windows (and in turn Internet Explorer's) certificates, and doesn't manage them in-house, while Firefox appears to manage them on their own. Because of that, both Chrome and I.E. show a couple of personal certificates related to my corporate log in, while Firefox does not show that. I'm wondering if that could be the issue. I cannot import those certificates as the key is not exportable, and they can't be imported without the key.

Is there some way to get Firefox to default to the Windows certs like Chrome does?

To add to the last comment - I went ahead and imported the certificates. Here's what I did / found: * The global and global root certificates were already there * I imported a handful of other trusted certificates that appeared directly related to zscaler and my corporate security, to no avail * I noticed that Chrome evidently uses Windows (and in turn Internet Explorer's) certificates, and doesn't manage them in-house, while Firefox appears to manage them on their own. Because of that, both Chrome and I.E. show a couple of personal certificates related to my corporate log in, while Firefox does not show that. I'm wondering if that could be the issue. I cannot import those certificates as the key is not exportable, and they can't be imported without the key. Is there some way to get Firefox to default to the Windows certs like Chrome does?
jscher2000
  • Top 10 Contributor
8569 solutions 70082 answers

I'm not aware of any other approaches.

Going back to your comment about clearing cookies, perhaps the background requests for Sync, LastPass, and the "Get Add-ons" frame embedded in the Add-ons page do not share cookies with web content?? It also could be related to the continuing evolution of the multi-process feature and increased sandboxing around web content. I am not very familiar with the internals.

I'm not aware of any other approaches. Going back to your comment about clearing cookies, perhaps the background requests for Sync, LastPass, and the "Get Add-ons" frame embedded in the Add-ons page do not share cookies with web content?? It also could be related to the continuing evolution of the multi-process feature and increased sandboxing around web content. I am not very familiar with the internals.