Lots of companies are using Mozilla Firefox in their corporate environment. Firefox came up with a great new feature in the latest version – it will support Windows enterprise trusted root certificates! No more need for adding certificates to Firefox seperatly using the keytool:
Just use the Windows Active Directory Group Policies to deploy your certificates – most of you already do this for use with Microsoft Internet Explorer and other software. To enable this great new feature Firefox introduced a new configuration parameter named security.enterprise_roots.enabled this needs to be set to true in the about:config page:
But theres one litte thing to know: Windows have multiple certifiacte stores (places where certificates are stored inside the registry and filesystem). Not only a user store and a machine store there is also a so called enterprise store. Active Directory Group Polices may store their certificates inside the enterprise store, depending on your deployment. Firefox currently only reads the machine store (a.k.a. system store) for validating certificates.
To overcome this limitation I created a small PowerShell snippet that will copy the certificates from the enterprise store into the system / machine store:
Copy-Item HKLM:\SOFTWARE\Microsoft\EnterpriseCertificates\ROOT\Certificates* HKLM:\SOFTWARE\Microsoft\SystemCertificates\Root\ -Recurse
Just put that line into a .ps1 file and let this executed as a computer startup script or using ESD system.
Please note that this needs to executed using administrative credentials or using the local system security context.
To view the contents of the system store just browse the following registry hive:
Each certificate will be represented as a seperate sub-key with the certificate thumbprint as the key name.