<div dir="ltr"><div>Have the certs expired yet?</div><div><br></div><div>The way we keep from installing the same cert twice is that we check to see if the old cert is trusted:</div><div><br></div><div><a href="https://searchfox.org/mozilla-central/source/browser/components/enterprisepolicies/Policies.jsm#333">https://searchfox.org/mozilla-central/source/browser/components/enterprisepolicies/Policies.jsm#333</a></div><div><br></div><div>I think that's what you're running into...</div><div><br></div><div>We don't currently have a way to uninstall certificates.</div><div><br></div><div>Mike<br></div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Mar 4, 2021 at 4:58 PM Hoang (US), Victor T <<a href="mailto:victor.t.hoang@boeing.com">victor.t.hoang@boeing.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div lang="EN-US">
<div class="gmail-m_5933585667333010031WordSection1">
<p class="MsoNormal">Hello all,<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">I had a certificate expire. Trying to update it and I’m using the policy.json file with the Install feature instead of ImportEnterpriseRoots so that I can be OS Agnostic. Example:<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">"Certificates": {<u></u><u></u></p>
<p class="MsoNormal"> "Install": ["C:\\Program Files\\Mozilla Firefox\\certs\\cert1.crt", "C:\\Program Files\\Mozilla Firefox\\certs\\cert2.cer]<u></u><u></u></p>
<p class="MsoNormal"> }<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">I tried updating my certificate by giving it the same name and file path, however, I don’t think the policy json knows to pull the new certificate due to the certificate having the same name. I was able to update the certificate only by:<u></u><u></u></p>
<ul style="margin-top:0in" type="disc">
<li class="gmail-m_5933585667333010031MsoListParagraph" style="margin-left:0in">Creating a new profile (in this case, it keeps the old one, and writes the new one as well, even with the same name)<u></u><u></u></li><li class="gmail-m_5933585667333010031MsoListParagraph" style="margin-left:0in">Manually adding the new one in. (also keeps the old one, and installs the new one so they both exist)<u></u><u></u></li></ul>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">My company has the same certificates in the Windows certificate Store, so I tested switching over to using "ImportEnterpriseRoots":True, but the problem is if you already loaded the certs with the Install method I listed above, Firefox
doesn’t seem to switch over to ImportEnterpriseRoots probably because the old certificates are already existing in the local store on the browser and keeps using that expired one instead of checking the windows store for new ones. It does however, work on
a clean install because the profile isn’t loaded yet and the certificates aren’t installed yet so ImportEnterpriseRoots becomes the default.
<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Does anyone have any recommendations on updating the cert file without changing its name? Or perhaps even how to switch from using Install policy to ImportEnterpriseRoots policy for certificates? It sounds like the easiest work around might
be to just include another Install line and renaming the newer certificate. The downside to this is that the expired certificate will still exist in the browser certificate store. Which leads me to wonder, is there a policy that removes older certificates
from the local browser store? I could see this getting messy for older certificates over time.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Grateful for any suggestions!<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Thanks all,<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><span style="color:rgb(31,73,125)">Victor Hoang</span><span style="color:rgb(68,114,196)">
</span><span style="color:rgb(31,73,125)"><u></u><u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
_______________________________________________<br>
Enterprise mailing list<br>
<a href="mailto:Enterprise@mozilla.org" target="_blank">Enterprise@mozilla.org</a><br>
<a href="https://mail.mozilla.org/listinfo/enterprise" rel="noreferrer" target="_blank">https://mail.mozilla.org/listinfo/enterprise</a><br>
<br>
To unsubscribe from this list, please visit <a href="https://mail.mozilla.org/listinfo/enterprise" rel="noreferrer" target="_blank">https://mail.mozilla.org/listinfo/enterprise</a> or send an email to <a href="mailto:enterprise-request@mozilla.org" target="_blank">enterprise-request@mozilla.org</a> with a subject of "unsubscribe"<br>
</blockquote></div>