How to disable the Enterprise Roots preference
Firefox may display a TLS connection error when your antivirus software prevents data from being sent to your browser. This happens when your antivirus software fails to register itself with Firefox as a valid issuer of TLS certificates.
Mozilla has added an Enterprise Roots preference to Firefox as a solution to the problem. This preference can be used to import any root certificate authorities (CAs) that have been added to the operating system, to resolve your TLS connection error. You can determine if a website is relying on an imported root certificate by clicking the Site Information icon in the address bar.
Starting with Firefox version 68, when a TLS connection error occurs Firefox will automatically enable the Enterprise Roots preference and attempts to connect again. If the issue is resolved, then the Enterprise Roots preference remains enabled. However, you may want to disable this behavior, so this article explains how to do just that without compromising security.
You can modify this behavior and prevent Firefox from automatically enabling the import of CAs that have been added to the operating system when a TLS connection error occurs, as follows:
- In the address bar, type about:config and press EnterReturn.
A warning page may appear. Click to continue to the about:config page.
- Type enterprise in the Search field above the list of preferences.
- Double-click on the preference security.certerrors.mitm.auto_enable_enterprise_roots to change its value from true to false.
To prevent CAs that have been added to the operating system from being automatically imported each time Firefox restarts:
- In the about:config page, search for enterprise as explained above.
- Double-click on the preference security.enterprise_roots.enabled to change its value from true to false.