Bechtle-Blog PowerShell Windows

Using Windows certificate store in Mozilla Firefox

Lots of companies are using Mozilla Firefox in their corporate environment. Firefox came up with a great new feature in the latest version – it will support Windows enterprise trusted root certificates! No more need for adding certificates to Firefox separately using the keytool:

Just use the Windows Active Directory Group Policies to deploy your certificates – most of you already do this for use with Microsoft Internet Explorer and other software. To enable this great new feature Firefox introduced a new configuration parameter named security.enterprise_roots.enabled this needs to be set to true in the about:config page:


But there’s one little thing to know: Windows has multiple certificate stores (places where certificates are stored inside the registry and filesystem). Not only a user store and a machine store there is also a so-called enterprise store. Active Directory Group Policies may store their certificates inside the enterprise store, depending on your deployment.

Beginning with Firefox version 52 the machine and the enterprise machine store are searched for certificates – so no further steps are needed. Prior version 52 only the certificates in the machine store (a.k.a. system store) are used for validating certificates. To overcome this limitation I created a small PowerShell snippet that will copy the certificates from the enterprise store into the system / machine store:

Copy-Item HKLM:SOFTWAREMicrosoftEnterpriseCertificatesROOTCertificates* HKLM:SOFTWAREMicrosoftSystemCertificatesRoot -Recurse

Just put that line into a .ps1 file and let this executed as a computer startup script or using ESD system.
Please note that this needs to executed using administrative credentials or using the local system security context.

Addtional Information
To view the contents of the system store just browse the following registry hive:
Each certificate will be represented as a seperate sub-key with the certificate thumbprint as the key name.

You may also like
VBScript: Ping Function
VBScript: Change Word Document Template
VBScript: List all files in a directory recursively
  • Michael Müller
    February 15, 2019 at 10:53

    ich hatte selbiges mit dem FF 65.0.1 versucht und bin gescheitert.
    Er scheint die Zertifikate nicht zu finden.
    Auch das kopieren der Zertifikate half nicht, dass der FF die Zertifikate findet.
    Die Zertifikate sind sowohl unter Vertrauenswürdige Stammzertifizierungsstellen und unter Eigene Zertifikate zu finden.

    Ich habe die Option per GPO und auch manuell gesetzt wobei kein Unterschied zu erkennen war.

  • Éric Sylvain Périard
    July 4, 2017 at 20:30

    I am an SCCM admin, is there way to enable the ” security.enterprise_roots.enabled ” parameter silently from lets say mozzilla.cfg file? Like usually I have an override.ini and then it points to the cfg to apply customization. I really don’t want to configure that parameters 3000 times… 😉

    • Geoff Wiley
      July 14, 2017 at 18:10

      Yes I’m looking for this answer as well. SCCM silent for 8000+ machines

      • paulo
        November 7, 2017 at 19:24

        Você pode criar uma bat com o seguinte metodo:
        cd /D “%APPDATA%MozillaFirefoxProfiles*.default”
        echo user_pref(“security.enterprise_roots.enabled “, true);>>prefs.js

  • Marcus Schommler
    January 13, 2017 at 12:23

    I get your very helpful PS statement to work only if I drop /Certificates from the destination registry location. Otherwise I end up with the copied registry items under ../Certificates/Certificates, having not the intended effect there.

    • January 13, 2017 at 12:57

      Hello Marcus,
      thank you for the feedback! I just corrected the PS statement in my post.

Leave Your Comment

Your Comment*

Your Name*
Your Webpage