Bechtle-Blog PowerShell Windows

Using Windows certificate store in Mozilla Firefox

Lots of companies are using Mozilla Firefox in their corporate environment. Firefox came up with a great new feature in the latest version – it will support Windows enterprise trusted root certificates! No more need for adding certificates to Firefox separately using the keytool:

Just use the Windows Active Directory Group Policies to deploy your certificates – most of you already do this for use with Microsoft Internet Explorer and other software. To enable this great new feature Firefox introduced a new configuration parameter named security.enterprise_roots.enabled this needs to be set to true in the about:config page:


But there’s one little thing to know: Windows has multiple certificate stores (places where certificates are stored inside the registry and filesystem). Not only a user store and a machine store there is also a so-called enterprise store. Active Directory Group Policies may store their certificates inside the enterprise store, depending on your deployment.

Beginning with Firefox version 52 the machine and the enterprise machine store are searched for certificates – so no further steps are needed. Prior version 52 only the certificates in the machine store (a.k.a. system store) are used for validating certificates. To overcome this limitation I created a small PowerShell snippet that will copy the certificates from the enterprise store into the system / machine store:

Copy-Item HKLM:SOFTWAREMicrosoftEnterpriseCertificatesROOTCertificates* HKLM:SOFTWAREMicrosoftSystemCertificatesRoot -Recurse

Just put that line into a .ps1 file and let this executed as a computer startup script or using ESD system.
Please note that this needs to executed using administrative credentials or using the local system security context.

Addtional Information
To view the contents of the system store just browse the following registry hive:
Each certificate will be represented as a seperate sub-key with the certificate thumbprint as the key name.

You may also like
PowerShell Best Practices: Set-StrictMode
XenDesktop: Change mouse scheme to speedup user experience
VBScript: List all installed applications
  • Bup
    2020-11-15T08:57:24+01:000000002430202011 at 08:57

    I like everything what is said and I support it a lot. I am glad to be here and to share my opinion.
    This site I like too:

    ???? ??? ????

  • esomo
    2020-11-11T23:23:21+01:000000002130202011 at 23:23

    There is no even one day that passes that I do not visit this website, I simply like it a lot.
    This one is also good one:

    ????? ??? ???

  • 2020-11-10T19:53:43+01:000000004330202011 at 19:53


  • 2020-11-06T11:42:20+01:000000002030202011 at 11:42


  • len
    2020-11-05T14:24:16+01:000000001630202011 at 14:24

    Great writings here are always and I really I like everything here.
    I this like as well:

    ????? ????? ???? ??

  • Bup
    2020-10-24T18:57:22+02:000000002231202010 at 18:57

    I like everything what is said and I support it a lot. I am glad to be here and to share my opinion.
    This site I like too:

    ???? ???

  • 2020-10-14T17:09:11+02:000000001131202010 at 17:09

    recommended mevugarim site in Israel

    ???? ???

  • Bup
    2020-10-07T18:11:49+02:000000004931202010 at 18:11

    Nice website and I like to follow everythoinh here. I always share everything here with my friends.
    This site I like too:

    ??? ??????

  • Deacy
    2020-09-29T11:32:20+02:000000002030202009 at 11:32

    I really cannot add more to what was said because you have disclosed all important information. I must say that this site is quite nice.
    In this website there is also a lot of interesting and useful information:

    ????? ?????

  • 2020-07-31T09:07:09+02:000000000931202007 at 09:07


  • Michael Müller
    2019-02-15T10:53:21+01:000000002128201902 at 10:53

    ich hatte selbiges mit dem FF 65.0.1 versucht und bin gescheitert.
    Er scheint die Zertifikate nicht zu finden.
    Auch das kopieren der Zertifikate half nicht, dass der FF die Zertifikate findet.
    Die Zertifikate sind sowohl unter Vertrauenswürdige Stammzertifizierungsstellen und unter Eigene Zertifikate zu finden.

    Ich habe die Option per GPO und auch manuell gesetzt wobei kein Unterschied zu erkennen war.

  • Éric Sylvain Périard
    2017-07-04T20:30:04+02:000000000431201707 at 20:30

    I am an SCCM admin, is there way to enable the ” security.enterprise_roots.enabled ” parameter silently from lets say mozzilla.cfg file? Like usually I have an override.ini and then it points to the cfg to apply customization. I really don’t want to configure that parameters 3000 times… 😉

    • Geoff Wiley
      2017-07-14T18:10:32+02:000000003231201707 at 18:10

      Yes I’m looking for this answer as well. SCCM silent for 8000+ machines

      • paulo
        2017-11-07T19:24:05+01:000000000530201711 at 19:24

        Você pode criar uma bat com o seguinte metodo:
        cd /D “%APPDATA%MozillaFirefoxProfiles*.default”
        echo user_pref(“security.enterprise_roots.enabled “, true);>>prefs.js

  • Marcus Schommler
    2017-01-13T12:23:06+01:000000000631201701 at 12:23

    I get your very helpful PS statement to work only if I drop /Certificates from the destination registry location. Otherwise I end up with the copied registry items under ../Certificates/Certificates, having not the intended effect there.

    • 2017-01-13T12:57:34+01:000000003431201701 at 12:57

      Hello Marcus,
      thank you for the feedback! I just corrected the PS statement in my post.

Leave Your Comment

Your Comment*

Your Name*
Your Webpage