Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Can't get Firefox to see personal user certs even with security.enterprise_roots.enabled

  • Amul benn tontu
  • 1 am na jafe-jafe bii
  • 14 views
more options

Hi, we push out this setting security.enterprise_roots.enabled = true, which means that Firefox should be using the certificate store.

One of our vendors has a secondary factor of authentication to get to their knowledgebase and helpdesk. The secondary authentication is a user certificate. This same certificate is needed for everyone and only works when its in the users certificate store. It was difficult enough to automate the deployment of this certificate as GPO's do not allow doing anything on the users personal certificate. Certutil can do it as part of a login script, but it pops up a nag "You are about to install a certificate from a certification authority claiming to represent ..." There is no flags to force or automatically say yes.

So we found a program called importpfs.exe as seen here: http://home.fnal.gov/~jklemenc/importpfx.html This works great and the certificate is imported at login, silently to the users personal store. If the user accesses the site with Internet Explorer or Chrome, they get a pop up where they click the certificate name and then the site continues to load properly.

Unfortunately Firefox has a Secure Connection Failed Error code SSL_ERROR_BAD_CERT_ALERT. Despite all of our other internal CA sites working and showing as trusted, as one would expect with security.enterprise_roots.enabled, it does not appear that Firefox has the ability to use the windows personal certificate store. Is there another setting for this? If not what is the proper way to get the developers on top of this?

Thank you!

Hi, we push out this setting security.enterprise_roots.enabled = true, which means that Firefox should be using the certificate store. One of our vendors has a secondary factor of authentication to get to their knowledgebase and helpdesk. The secondary authentication is a user certificate. This same certificate is needed for everyone and only works when its in the users certificate store. It was difficult enough to automate the deployment of this certificate as GPO's do not allow doing anything on the users personal certificate. Certutil can do it as part of a login script, but it pops up a nag "You are about to install a certificate from a certification authority claiming to represent ..." There is no flags to force or automatically say yes. So we found a program called importpfs.exe as seen here: http://home.fnal.gov/~jklemenc/importpfx.html This works great and the certificate is imported at login, silently to the users personal store. If the user accesses the site with Internet Explorer or Chrome, they get a pop up where they click the certificate name and then the site continues to load properly. Unfortunately Firefox has a Secure Connection Failed Error code SSL_ERROR_BAD_CERT_ALERT. Despite all of our other internal CA sites working and showing as trusted, as one would expect with security.enterprise_roots.enabled, it does not appear that Firefox has the ability to use the windows personal certificate store. Is there another setting for this? If not what is the proper way to get the developers on top of this? Thank you!