Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Windows domain + GPO cert deployment + Firefox ESR + GPO "FF: use Windows cert store"

  • 5 cavab
  • 1 has this problem
  • 4 views
  • Last reply by buggrabber

more options

Hi,

so, policies are working like a charm so far.

Firefox picks changes up nicely, really like it.

Thanks for implementing that!!

- - - - - - -

As for the issue:

When browsing my site I still receive ""Peer’s Certificate issuer is not recognized. " SEC_ERROR_UNKNOWN_ISSUER" though. Chrome also uses Windows Store, works fine.

IE works fine.

The certificate is deployed via GPO, so it resides in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates

(note the "Policies" in the path!), which might be an indication for trouble depending on the implementation of "use windows store".

The environment is a corporate Windows domain.

The cert has been created with

CN -> HOST.something.local

alias -> CNAME.something.local, CNAME, HOST

Version 3

PKCS #1 SHA-256 With RSA Encryption

The site is called like this -> https://CNAME

Note: The local client's DNS settings will apply something.local.

- - - - - - -

Funnily enough, when calling CNAME, CNAME.something.local or HOST -> I only get SEC_ERROR_UNKNOWN_ISSUER

With HOST.something.local (so the CN in the cert) this gets emitted too,

as well as "The certificate is only valid for the following names: CNAME.something.local, CNAME, HOST".

Another issue?

SAN sounds very much like "additional" names to me?! So I don't get why this would occur at all.

- - - - - - -

Version is 60.1.0 x64.

Looking forward to ideas.

"Policy actually being applied?" Yep, I see it reflected in about:config and the setting is also correctly being locked :)

Best regards

Hi, so, policies are working like a charm so far. Firefox picks changes up nicely, really like it. Thanks for implementing that!! - - - - - - - As for the issue: When browsing my site I still receive ""Peer’s Certificate issuer is not recognized. " SEC_ERROR_UNKNOWN_ISSUER" though. Chrome also uses Windows Store, works fine. IE works fine. The certificate is deployed via GPO, so it resides in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates (note the "Policies" in the path!), which might be an indication for trouble depending on the implementation of "use windows store". The environment is a corporate Windows domain. The cert has been created with CN -> HOST.something.local alias -> CNAME.something.local, CNAME, HOST Version 3 PKCS #1 SHA-256 With RSA Encryption The site is called like this -> https://CNAME Note: The local client's DNS settings will apply something.local. - - - - - - - Funnily enough, when calling CNAME, CNAME.something.local or HOST -> I only get SEC_ERROR_UNKNOWN_ISSUER With HOST.something.local (so the CN in the cert) this gets emitted too, as well as "The certificate is only valid for the following names: CNAME.something.local, CNAME, HOST". Another issue? SAN sounds very much like "additional" names to me?! So I don't get why this would occur at all. - - - - - - - Version is 60.1.0 x64. Looking forward to ideas. "Policy actually being applied?" Yep, I see it reflected in about:config and the setting is also correctly being locked :) Best regards

Modified by buggrabber

All Replies (5)

more options

To use the Windows certificate store in Firefox you have to set the security.enterprise_roots.enabled preference to true. It's set to false by default.

You can change this preference various different ways, the easiest of which is probably to set and lock it using an AutoConfig file.

Hope this helps.

more options

Seems you answered exactly when I added this snippet yesterday:

> "Policy actually being applied?" Yep, I see it reflected in about:config and the setting is also correctly being locked :)

more options

Any further ideas??

I can provide a TeamViewer session if necessary/desired.

more options

Is this something you could possibly open a bug in bugzilla for?

We can get the team that worked on this feature involved to see if they can figure out what is going on.

more options