Bechtle-Blog PowerShell Windows

Using Windows certificate store in Mozilla Firefox

Lots of companies are using Mozilla Firefox in their corporate environment. Firefox came up with a great new feature in the latest version – it will support Windows enterprise trusted root certificates! No more need for adding certificates to Firefox seperatly using the keytool:

firefox-connection-not-secure

Just use the Windows Active Directory Group Policies to deploy your certificates – most of you already do this for use with Microsoft Internet Explorer and other software. To enable this great new feature Firefox introduced a new configuration parameter named security.enterprise_roots.enabled this needs to be set to true in the about:config page:

security-enterprise_roots-enabled

But theres one litte thing to know: Windows have multiple certifiacte stores (places where certificates are stored inside the registry and filesystem). Not only a user store and a machine store there is also a so called enterprise store. Active Directory Group Polices may store their certificates inside the enterprise store, depending on your deployment. Firefox currently only reads the machine store (a.k.a. system store) for validating certificates.

To overcome this limitation I created a small PowerShell snippet that will copy the certificates from the enterprise store into the system / machine store:

Copy-Item HKLM:\SOFTWARE\Microsoft\EnterpriseCertificates\ROOT\Certificates* HKLM:\SOFTWARE\Microsoft\SystemCertificates\Root\ -Recurse

Just put that line into a .ps1 file and let this executed as a computer startup script or using ESD system.
Please note that this needs to executed using administrative credentials or using the local system security context.

Addtional Information
To view the contents of the system store just browse the following registry hive:
HKLM:\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates
SystemCertificates
Each certificate will be represented as a seperate sub-key with the certificate thumbprint as the key name.

You may also like
VBScript: List all installed applications
LotusScript: Move all items without a view into Inbox Folder
VBScript: List all files in a directory recursively
5 Comments
  • Éric Sylvain Périard
    2017-07-04T20:30:04+00:000000000431201707 at 20:30
    Reply

    I am an SCCM admin, is there way to enable the ” security.enterprise_roots.enabled ” parameter silently from lets say mozzilla.cfg file? Like usually I have an override.ini and then it points to the cfg to apply customization. I really don’t want to configure that parameters 3000 times… 😉

    • Geoff Wiley
      2017-07-14T18:10:32+00:000000003231201707 at 18:10
      Reply

      Yes I’m looking for this answer as well. SCCM silent for 8000+ machines

      • paulo
        2017-11-07T19:24:05+00:000000000530201711 at 19:24
        Reply

        Você pode criar uma bat com o seguinte metodo:
        cd /D “%APPDATA%MozillaFirefoxProfiles*.default”
        echo user_pref(“security.enterprise_roots.enabled “, true);>>prefs.js

  • Marcus Schommler
    2017-01-13T12:23:06+00:000000000631201701 at 12:23
    Reply

    I get your very helpful PS statement to work only if I drop /Certificates from the destination registry location. Otherwise I end up with the copied registry items under ../Certificates/Certificates, having not the intended effect there.

    • 2017-01-13T12:57:34+00:000000003431201701 at 12:57
      Reply

      Hello Marcus,
      thank you for the feedback! I just corrected the PS statement in my post.

Leave Your Comment

Your Comment*

Your Name*
Your Webpage