搜尋 Mozilla 技術支援網站

防止技術支援詐騙。我們絕對不會要求您撥打電話或發送簡訊,或是提供個人資訊。請用「回報濫用」功能回報可疑的行為。

Learn More

Can't get Firefox to see personal user certs even with security.enterprise_roots.enabled

  • 無回覆
  • 1 有這個問題
  • 10 次檢視
more options

Hi, we push out this setting security.enterprise_roots.enabled = true, which means that Firefox should be using the certificate store.

One of our vendors has a secondary factor of authentication to get to their knowledgebase and helpdesk. The secondary authentication is a user certificate. This same certificate is needed for everyone and only works when its in the users certificate store. It was difficult enough to automate the deployment of this certificate as GPO's do not allow doing anything on the users personal certificate. Certutil can do it as part of a login script, but it pops up a nag "You are about to install a certificate from a certification authority claiming to represent ..." There is no flags to force or automatically say yes.

So we found a program called importpfs.exe as seen here: http://home.fnal.gov/~jklemenc/importpfx.html This works great and the certificate is imported at login, silently to the users personal store. If the user accesses the site with Internet Explorer or Chrome, they get a pop up where they click the certificate name and then the site continues to load properly.

Unfortunately Firefox has a Secure Connection Failed Error code SSL_ERROR_BAD_CERT_ALERT. Despite all of our other internal CA sites working and showing as trusted, as one would expect with security.enterprise_roots.enabled, it does not appear that Firefox has the ability to use the windows personal certificate store. Is there another setting for this? If not what is the proper way to get the developers on top of this?

Thank you!

Hi, we push out this setting security.enterprise_roots.enabled = true, which means that Firefox should be using the certificate store. One of our vendors has a secondary factor of authentication to get to their knowledgebase and helpdesk. The secondary authentication is a user certificate. This same certificate is needed for everyone and only works when its in the users certificate store. It was difficult enough to automate the deployment of this certificate as GPO's do not allow doing anything on the users personal certificate. Certutil can do it as part of a login script, but it pops up a nag "You are about to install a certificate from a certification authority claiming to represent ..." There is no flags to force or automatically say yes. So we found a program called importpfs.exe as seen here: http://home.fnal.gov/~jklemenc/importpfx.html This works great and the certificate is imported at login, silently to the users personal store. If the user accesses the site with Internet Explorer or Chrome, they get a pop up where they click the certificate name and then the site continues to load properly. Unfortunately Firefox has a Secure Connection Failed Error code SSL_ERROR_BAD_CERT_ALERT. Despite all of our other internal CA sites working and showing as trusted, as one would expect with security.enterprise_roots.enabled, it does not appear that Firefox has the ability to use the windows personal certificate store. Is there another setting for this? If not what is the proper way to get the developers on top of this? Thank you!