Are you comma separating the hashes with no spaces?

Yes indeed. no spaces, just comma separated

One more question (I'm also asking the team).

I assume you're setting via the Preferences policy.

Does everything look correct in about:policies?

When you go to about:config and search on security.pki.certificate_transparency.disable_for_spki_hashes, is it set correctly?

And is it bold, italics, regular?

everything is correct , as far as im aware.. we havent read there should be set anything else that ties to ct transparency.

it is regular . As far as i recall, bold would be manually added value

KR Tomas

Are you including the sha256/ at the beginning? Our implementation doesn't support that.

Oh .. yea , we do have sha256/ at the beginning :(

So it has to be removed ? have i missed some article where this info is present ?

Thank you !!

> So it has to be removed ? have i missed some article where this info is present ?

Yes, it does. I'm checking to see if we published that info anywhere.

Please do let me know if you can find any article with this information. In meantime, we will test it out :)

Thank you very much Tomas

So I was pointed to this page:

https://wiki.mozilla.org/SecurityEngineering/Certificate_Transparency#Enterprise_Policies

Which says:

Each entry must be the base64-encoded sha-256 hash of a certificate's DER-encoded subject public key info. This is intended to be similar to the Chrome enterprise policy CertificateTransparencyEnforcementDisabledForCas.

But I don't think that's clear :).

I'm going to update.

(I added - but the sha256/ prefix is not included.)

It is not indeed :) nevertheless, thank you very much for your help :) we have tested it and everything is working :)