Not trusting internal CA despite security.enterprise_roots.enabled set to true on Windows 10
I am starting a Windows 10 rollout and have noticed that something is wrong with Firefox on Windows 10 with our corporate CA.
I have set the security.enterprise_roots.enabled to true and restarted firefox, but it is still giving me unknown issuer.
When I paste the certificate details (provided on the error page) into a text file and save it as a .cer and open it up in Windows it is showing just the WSA signing the website (eg, google.com) and it is missing the intermediate and root CA's.
If I break the two certificate texts into two different .cer's one is for the website itself, untrusted, and the other one is for the signer which is trusted as the root and intermediate are in the Windows certificate store.
Any idea where to begin to figure out what's going on?
I have a Windows domain, and the SSL interception is being done by a Cisco WSA. It's worth noting that Firefox on our Windows 7 PC's works fine, so I am not sure what has changed between Windows 7 and Windows 10.
Any ideas would be greatly appreciated!
Isisombululo esikhethiwe
Firefox only imports root certificates from the Windows certificate store. Any required intermediate certificates need to be send by the server as part of the certificate chain that is send.
Funda le mpendulo ngokuhambisana nalesi sihloko 👍 0All Replies (3)
Isisombululo Esikhethiwe
Firefox only imports root certificates from the Windows certificate store. Any required intermediate certificates need to be send by the server as part of the certificate chain that is send.
Oh, interesting. Thank you for the info, this may our problem.
I am having our security team look into our WSA to see if it can be configured to send the intermediate.
Thanks!
I can confirm (in my experience) that in Firefox 60, the security.enterprise_roots.enable no longer works on Windows.
In my case it's Windows 7, but all previously working installs of Firefox prior to 60 that were relying on the trusted certificate for our private corporate intranet root certificate authorities being properly found in the Windows Certificate Store abruptly stopped working when Firefox updated to version 60 (60.0.1).
FYI, it's very unlikely that you have a private intermediate certificate signer and not a private root certificate authority. Most corporations that are going to use private certificates simply designate a few private root certificate authorities that need trusting instead. Adding those root certificate authorities to the trusted list is sufficient for the entire chain to be trusted, even though they likely have a number of intermediate certificate signers in the chain that otherwise wouldn't be trusted.
Your chosen solution of manually adding the intermediate certificates as exceptions (or to the Windows Certificate Store) works around a bug in Firefox, and may make you able to move forward, but will likely break down in the near future. Generally the intermediate certificates will expire and change more frequently than the root certificates, which is why the root certificates are usually the ones added to the Windows Certificate Store.
Okulungisiwe ngu TinyTankPU