[Mozilla Enterprise] Inquiry: Firefox error using policy to pull from windows certificate store

Hoang (US), Victor T victor.t.hoang at boeing.com
Fri Aug 2 22:38:59 UTC 2019 

I’m giving tinker with this and will get back with my findings. Silly me. Thanks!

From: Mike Kaply <mkaply at mozilla.com>
Sent: Friday, August 2, 2019 2:30 PM
To: Hoang (US), Victor T <victor.t.hoang at boeing.com>
Cc: enterprise at mozilla.org
Subject: Re: [Mozilla Enterprise] Inquiry: Firefox error using policy to pull from windows certificate store

It should just be about putting them in the right location and setting the Certificates->Install policy (if they aren't being imported from the window store).

See:

https://github.com/mozilla/policy-templates/blob/master/README.md#certificates--install

Are these client certificates?

Mike Kaply

On Fri, Aug 2, 2019 at 4:18 PM Hoang (US), Victor T <victor.t.hoang at boeing.com<mailto:victor.t.hoang at boeing.com>> wrote:
Hello,

My name is Victor. I was wondering if anyone could share any experience/expertise/solutions with switching over to policy for managing certificates to pull from the windows store. I’m running into some issues even after following some of the guides about how to try and pull from my organizations windows store locations from https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox. It seems like the instructions might be a little broad/high level so I could be missing some things. Following the guide, I have security.enterprise_roots.enabled set to true and checked the windows store certificate location in regedit.exe and mmc and they seem to already exist (perhaps not in the right directory?). I asked someone in my organization and they mentioned that all the stores can be found on the console root (Local Computer) under trusted root certification Authorities --> Certificates and it all seems to be there as well.

My question:

•         It seems like firefox checks HKLM\SOFTWARE\Microsoft\SystemCertificates according to the support page. I’m using regedit.exe to navigate to the directory, but I don’t see any sort of “Import” option for the certificates I want to embed. I’m wondering how I can add my certificates into the location required by firefox? This is what I speculate to be the culprit.

Background:

•         Switching from FF 60.8 ESR cck2 over to FF 68.0.1 ESR with policy.json

•         Able to do majority of things such as setting up proxy, changing home page, and Trusted Devices installed (for CSSI Library badge authentication, etc)

•         Unable to have certificates be read from the windows store via policy unless I manually add them to the Certificate Manager in firefox. (Secure Connection Failed: SSL_ERROR_HANDSHAKE_FAILURE_ALERT)
Thanks all,
Victor Hoang

_______________________________________________
Enterprise mailing list
Enterprise at mozilla.org<mailto:Enterprise at mozilla.org>
https://mail.mozilla.org/listinfo/enterprise

To unsubscribe from this list, please visit https://mail.mozilla.org/listinfo/enterprise or send an email to enterprise-request at mozilla.org<mailto:enterprise-request at mozilla.org> with a subject of "unsubscribe"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/enterprise/attachments/20190802/3f172a8e/attachment.html>

More information about the Enterprise mailing list