[Mozilla Enterprise] polices.json and Installing Certificates policy

Mike Kaply mkaply at mozilla.com
Mon Mar 8 16:46:10 UTC 2021 

Have the certs expired yet?

The way we keep from installing the same cert twice is that we check to see
if the old cert is trusted:

https://searchfox.org/mozilla-central/source/browser/components/enterprisepolicies/Policies.jsm#333

I think that's what you're running into...

We don't currently have a way to uninstall certificates.

Mike



On Thu, Mar 4, 2021 at 4:58 PM Hoang (US), Victor T <
victor.t.hoang at boeing.com> wrote:

> Hello all,
>
>
>
> I had a certificate expire. Trying to update it and I’m using the
> policy.json file with the Install feature instead of ImportEnterpriseRoots
> so that I can be OS Agnostic. Example:
>
>
>
> "Certificates": {
>
>       "Install": ["C:\\Program Files\\Mozilla Firefox\\certs\\cert1.crt",
> "C:\\Program Files\\Mozilla Firefox\\certs\\cert2.cer]
>
>     }
>
>
>
> I tried updating my certificate by giving it the same name and file path,
> however, I don’t think the policy json knows to pull the new certificate
> due to the certificate having the same name. I was able to update the
> certificate only by:
>
>    - Creating a new profile (in this case, it keeps the old one, and
>    writes the new one as well, even with the same name)
>    - Manually adding the new one in. (also keeps the old one, and
>    installs the new one so they both exist)
>
>
>
> My company has the same certificates in the Windows certificate Store, so
> I tested switching over to using "ImportEnterpriseRoots":True, but the
> problem is if you already loaded the certs with the Install method I listed
> above, Firefox doesn’t seem to switch over to ImportEnterpriseRoots
> probably because the old certificates are already existing in the local
> store on the browser and keeps using that expired one instead of checking
> the windows store for new ones. It does however, work on a clean install
> because the profile isn’t loaded yet and the certificates aren’t installed
> yet so ImportEnterpriseRoots becomes the default.
>
>
>
> Does anyone have any recommendations on updating the cert file without
> changing its name? Or perhaps even how to switch from using Install policy
> to ImportEnterpriseRoots policy for certificates? It sounds like the
> easiest work around might be to just include another Install line and
> renaming the newer certificate. The downside to this is that the expired
> certificate will still exist in the browser certificate store. Which leads
> me to wonder, is there a policy that removes older certificates from the
> local browser store? I could see this getting messy for older certificates
> over time.
>
>
>
> Grateful for any suggestions!
>
>
>
> Thanks all,
>
>
>
> Victor Hoang
>
>
> _______________________________________________
> Enterprise mailing list
> Enterprise at mozilla.org
> https://mail.mozilla.org/listinfo/enterprise
>
> To unsubscribe from this list, please visit
> https://mail.mozilla.org/listinfo/enterprise or send an email to
> enterprise-request at mozilla.org with a subject of "unsubscribe"
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/enterprise/attachments/20210308/6e45f6d3/attachment.html>

More information about the Enterprise mailing list