Lots of companies are using Mozilla Firefox in their corporate environment. Firefox came up with a great new feature in the latest version – it will support Windows enterprise trusted root certificates! No more need for adding certificates to Firefox separately using the keytool:
Just use the Windows Active Directory Group Policies to deploy your certificates – most of you already do this for use with Microsoft Internet Explorer and other software. To enable this great new feature Firefox introduced a new configuration parameter named security.enterprise_roots.enabled this needs to be set to true in the about:config page:
But there’s one little thing to know: Windows has multiple certificate stores (places where certificates are stored inside the registry and filesystem). Not only a user store and a machine store there is also a so-called enterprise store. Active Directory Group Policies may store their certificates inside the enterprise store, depending on your deployment.
Beginning with Firefox version 52 the machine and the enterprise machine store are searched for certificates – so no further steps are needed. Prior version 52 only the certificates in the machine store (a.k.a. system store) are used for validating certificates. To overcome this limitation I created a small PowerShell snippet that will copy the certificates from the enterprise store into the system / machine store:
Copy-Item HKLM:SOFTWAREMicrosoftEnterpriseCertificatesROOTCertificates* HKLM:SOFTWAREMicrosoftSystemCertificatesRoot -Recurse
Just put that line into a .ps1 file and let this executed as a computer startup script or using ESD system.
Please note that this needs to executed using administrative credentials or using the local system security context.
To view the contents of the system store just browse the following registry hive:
Each certificate will be represented as a seperate sub-key with the certificate thumbprint as the key name.