[Mozilla Enterprise] polices.json and Installing Certificates policy

Hoang (US), Victor T victor.t.hoang at boeing.com
Thu Mar 4 22:58:21 UTC 2021 

Hello all,

I had a certificate expire. Trying to update it and I'm using the policy.json file with the Install feature instead of ImportEnterpriseRoots so that I can be OS Agnostic. Example:

"Certificates": {
      "Install": ["C:\\Program Files\\Mozilla Firefox\\certs\\cert1.crt", "C:\\Program Files\\Mozilla Firefox\\certs\\cert2.cer]
    }

I tried updating my certificate by giving it the same name and file path, however, I don't think the policy json knows to pull the new certificate due to the certificate having the same name. I was able to update the certificate only by:

  *   Creating a new profile (in this case, it keeps the old one, and writes the new one as well, even with the same name)
  *   Manually adding the new one in. (also keeps the old one, and installs the new one so they both exist)

My company has the same certificates in the Windows certificate Store, so I tested switching over to using "ImportEnterpriseRoots":True, but the problem is if you already loaded the certs with the Install method I listed above, Firefox doesn't seem to switch over to ImportEnterpriseRoots probably because the old certificates are already existing in the local store on the browser and keeps using that expired one instead of checking the windows store for new ones. It does however, work on a clean install because the profile isn't loaded yet and the certificates aren't installed yet so ImportEnterpriseRoots becomes the default.

Does anyone have any recommendations on updating the cert file without changing its name? Or perhaps even how to switch from using Install policy to ImportEnterpriseRoots policy for certificates? It sounds like the easiest work around might be to just include another Install line and renaming the newer certificate. The downside to this is that the expired certificate will still exist in the browser certificate store. Which leads me to wonder, is there a policy that removes older certificates from the local browser store? I could see this getting messy for older certificates over time.

Grateful for any suggestions!

Thanks all,

Victor Hoang

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/enterprise/attachments/20210304/532fd3b9/attachment.html>

More information about the Enterprise mailing list