Firefox Root Certificate Expiration: Questions & Tips for Updating
Important update! On March 14, 2025, a critical root certificate in Firefox will expire. If you’re still using an older version (before Firefox 128 or ESR 115.13+), it’s crucial to update to Firefox 128 or newer to avoid issues with add-ons, DRM-protected content, and other features.
For full details, check out Update Firefox to prevent add-ons issues from root certificate expiration.
If you have questions about the update or need help with the process, this is the place to ask! Whether you’re just starting or you’ve already updated and want to share your experience, we’d love to hear from you.
Let’s come together, share tips, and ensure we’re all prepared. Drop your questions or insights below!
Edeziri
All Replies (10)
My PC uses Windows 7 Ultimate SP1. I definitely do not want to update to a newer version of Windows. Thus, I cannot update my Firefox.
Please let me know what root or roots are affected and how to download replacement(s).
david860 said
My PC uses Windows 7 Ultimate SP1. I definitely do not want to update to a newer version of Windows. Thus, I cannot update my Firefox.
You can update to a current version as the OP says Firefox 115.13+ ESR. It is currently at Fx 115.16.1esr.
The Firefox 115 ESR is still being updated to support the older OS's Windows 7, 8, 8.1 and macOS 10.12, 10.13, 10.14 in mind. The updates will occur until Fx 115.21.0esr in March 2025 unless Mozilla extends update support again.
https://support.mozilla.org/en-US/kb/firefox-users-windows-7-8-and-81-moving-extended-support
Edeziri
With Windows 7 you can use Firefox 115 ESR (current: 115.16.0 and isn't affected) and you should be fine with this version since you can't update to a newer version. You keep getting updates up to March 25, then your OS will no longer be supported and you need to stuck with the last version.
Firefox 116 and newer require Windows 10 as the minimum, users on Windows 7 and 8 and 8.1 have been moved to Firefox 115 ESR.
That does NOT answer my questions. (1) What are the affected roots? (2) What URIs can I use to download the replacements roots?
NOTE WELL: My wife's PC is still using Windows XP SP3. It does not have the capacity to update even to Windows 7. However, it still meets my wife's needs. She does not want any version of Firefox. I will have to update her SeaMonkey for new root certificates. Yes, I know how, but I need to know what roots.
I do not know the internals at this time, there is only this support article.
Hi
I have looked into this with Mozilla staff, who have confirmed that it is not possible to download replacement root certificates. They are baked into the code.
Windows 7 Firefox 115.0.3 (new as of 23 Jan 2023 and -- without my authorization -- pushed onto my PC on 12 Apr 2024)
In Firefox, I go to [Settings > Privacy & Security > Certificates > View Certificates]. That gives me the Certificate Manager window. When Authorities is selected on that window's menu bar, there is an Import button at the bottom (among others) to import a root certificate.
In the meantime, your Web page at https://ccadb.my.salesforce-sites.com.../IncludedCACertificateReport -- last updated today -- indicates the only root expiring in 2025 is one DigiCert root. Using the Certificate Manager window' View button to examine all DigiCert roots, I did not find any expiring in 2025. However, I found several that expired in 2023, on which I used the window's Delete or Distrust button.
Again, which root in Firefox's root store is the subject of your alert? And what root will be replacing it? How is it that a version of Firefox released this year included root certificates that expired last year?
The roots in question are part of Mozilla's system for verifying add-ons and delivering other remote content to Firefox. They are not part of the public web PKI, aren't included in the CCADB, and aren't accessible via the certificate manager. They are compiled into Firefox and can only be updated by updating Firefox. Short of manually backporting the patch to your outdated copy of Firefox and recompiling it, the only way to ensure Firefox will keep working is to update it.
Can't Mozilla consider to provide an update for 78.15.0 as that is the latest version that runs on Mac OS X 10.9/10.10/10.11 and they have hardware that doesn't support newer macOS versions? Mac OS X 10.12/10.13/10.14 use 115 ESR and thus aren't affected.
cor-el said
Can't Mozilla consider to provide an update for 78.15.0 as that is the latest version that runs on Mac OS X 10.9/10.10/10.11 and they have hardware that doesn't support newer macOS versions? Mac OS X 10.12/10.13/10.14 use 115 ESR and thus aren't affected.
I reached out to our engineering team. It was something they looked at and considered but unfortunately, it seems that making this happen would be quite challenging at this point. Since it's been out of support for over three years, we no longer have the infrastructure in place to build ESR78.