<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
code
{mso-style-priority:99;
font-family:"Courier New";}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
p.gmail-m-1141010715319064534msolistparagraph, li.gmail-m-1141010715319064534msolistparagraph, div.gmail-m-1141010715319064534msolistparagraph
{mso-style-name:gmail-m_-1141010715319064534msolistparagraph;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Courier New";}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:276571724;
mso-list-template-ids:-909059382;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">I forgot to show an example of what I will be trying.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<pre><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span>{<o:p></o:p></pre>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""> "policies": {<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""> "Certificates": {<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">
</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">"Install": ["C:\\Program Files (x86)\\Mozilla Firefox\\cck2\\resources\\certs\\ cert1.cer", "C:\\Program Files (x86)\\Mozilla Firefox\\cck2\\resources\\certs\\cert2.cer", Firefox\\cck2\\resources\\certs\\cert3.cer",
"C:\\Program Files (x86)\\Mozilla Firefox\\cck2\\resources\\certs\\cert4.crt"]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""> }<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""> }<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">}<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Something like that? (I’m currently just testing so I’m installing from a directory in which cck still exists where my certificates are stored locally on the
device. I will change it once I can get the certs installed the first time)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Also, once I save this in the json file, I’m guessing it will create the directories for me? E.g.:<o:p></o:p></span></p>
<p class="MsoNormal">%USERPROFILE%\AppData\Local\Mozilla\Certificates<o:p></o:p></p>
<p class="MsoNormal">%USERPROFILE%\AppData\Roaming\Mozilla\Certificates<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Will it need to be a fresh install of firefox, or can I just use my currently existing one and it will be created on start up?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Thanks again,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Victor<o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Hoang (US), Victor T
<br>
<b>Sent:</b> Friday, August 2, 2019 3:39 PM<br>
<b>To:</b> 'Mike Kaply' <mkaply@mozilla.com><br>
<b>Cc:</b> enterprise@mozilla.org<br>
<b>Subject:</b> RE: [Mozilla Enterprise] Inquiry: Firefox error using policy to pull from windows certificate store<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">I’m giving tinker with this and will get back with my findings. Silly me. Thanks!<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Mike Kaply <<a href="mailto:mkaply@mozilla.com">mkaply@mozilla.com</a>>
<br>
<b>Sent:</b> Friday, August 2, 2019 2:30 PM<br>
<b>To:</b> Hoang (US), Victor T <<a href="mailto:victor.t.hoang@boeing.com">victor.t.hoang@boeing.com</a>><br>
<b>Cc:</b> <a href="mailto:enterprise@mozilla.org">enterprise@mozilla.org</a><br>
<b>Subject:</b> Re: [Mozilla Enterprise] Inquiry: Firefox error using policy to pull from windows certificate store<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">It should just be about putting them in the right location and setting the Certificates->Install policy (if they aren't being imported from the window store).<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">See:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><a href="https://github.com/mozilla/policy-templates/blob/master/README.md#certificates--install">https://github.com/mozilla/policy-templates/blob/master/README.md#certificates--install</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Are these client certificates?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Mike Kaply<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Fri, Aug 2, 2019 at 4:18 PM Hoang (US), Victor T <<a href="mailto:victor.t.hoang@boeing.com">victor.t.hoang@boeing.com</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Hello,<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">My name is Victor. I was wondering if anyone could share any experience/expertise/solutions with switching over to policy for managing certificates to pull from the windows store.
I’m running into some issues even after following some of the guides about how to try and pull from my organizations windows store locations from
<a href="https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox" target="_blank">
https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox</a>. It seems like the instructions might be a little broad/high level so I could be missing some things. Following the guide, I have security.enterprise_roots.enabled set to true
and checked the windows store certificate location in regedit.exe and mmc and they seem to already exist (perhaps not in the right directory?). I asked someone in my organization and they mentioned that all the stores can be found on the console root (Local
Computer) under trusted root certification Authorities <span style="font-family:Wingdings">
à</span> Certificates and it all seems to be there as well.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">My question:<o:p></o:p></p>
<p class="gmail-m-1141010715319064534msolistparagraph"><span style="font-family:Symbol">·</span><span style="font-size:7.0pt">
</span>It seems like firefox checks HKLM\SOFTWARE\Microsoft\SystemCertificates according to the support page. I’m using regedit.exe to navigate to the directory, but I don’t see any sort of “Import” option for the certificates I want to embed. I’m wondering
how I can add my certificates into the location required by firefox? This is what I speculate to be the culprit.
<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Background:<o:p></o:p></p>
<p class="gmail-m-1141010715319064534msolistparagraph"><span style="font-family:Symbol">·</span><span style="font-size:7.0pt">
</span>Switching from FF 60.8 ESR cck2 over to FF 68.0.1 ESR with policy.json<o:p></o:p></p>
<p class="gmail-m-1141010715319064534msolistparagraph"><span style="font-family:Symbol">·</span><span style="font-size:7.0pt">
</span>Able to do majority of things such as setting up proxy, changing home page, and Trusted Devices installed (for CSSI Library badge authentication, etc)<o:p></o:p></p>
<p class="gmail-m-1141010715319064534msolistparagraph"><span style="font-family:Symbol">·</span><span style="font-size:7.0pt">
</span>Unable to have certificates be read from the windows store via policy unless I manually add them to the Certificate Manager in firefox. (Secure Connection Failed: SSL_ERROR_HANDSHAKE_FAILURE_ALERT)<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:#1F497D">Thanks all,<br>
Victor Hoang </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
</div>
<p class="MsoNormal">_______________________________________________<br>
Enterprise mailing list<br>
<a href="mailto:Enterprise@mozilla.org" target="_blank">Enterprise@mozilla.org</a><br>
<a href="https://mail.mozilla.org/listinfo/enterprise" target="_blank">https://mail.mozilla.org/listinfo/enterprise</a><br>
<br>
To unsubscribe from this list, please visit <a href="https://mail.mozilla.org/listinfo/enterprise" target="_blank">
https://mail.mozilla.org/listinfo/enterprise</a> or send an email to <a href="mailto:enterprise-request@mozilla.org" target="_blank">
enterprise-request@mozilla.org</a> with a subject of "unsubscribe"<o:p></o:p></p>
</blockquote>
</div>
</div>
</body>
</html>