Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

can't deploy private CA with GPO

  • 18 iimpendulo
  • 5 inale ngxaki
  • 9 views
  • Impendulo yokugqibela ngu Mike Kaply

more options

Hi all

I'm trying to deploy my public CA to my Firefox on Windows enviroment. We need because I have set up a SSL inspection that resign public certs of websites in order to perform inspection.

The CA cert is deployed through a GPO to every computer's store, and then, a policy from custom Firefox ESR admx's is telling clients to use Windows certificate store. But no way is working. I can't see the cert imported.

My public CA cert is deployed in the store, inside the folders you can see in the screen and i checked every computer had received it correctly.

Please help!! Thanks

Hi all I'm trying to deploy my public CA to my Firefox on Windows enviroment. We need because I have set up a SSL inspection that resign public certs of websites in order to perform inspection. The CA cert is deployed through a GPO to every computer's store, and then, a policy from custom Firefox ESR admx's is telling clients to use Windows certificate store. But no way is working. I can't see the cert imported. My public CA cert is deployed in the store, inside the folders you can see in the screen and i checked every computer had received it correctly. Please help!! Thanks
Iqhotyoshelwe imifanekiso ekwisikrini

All Replies (18)

more options

Hello Dark345,

You posted this 5 days ago and haven't received any response yet (sorry .... )

I am a complete layman in this area, but my posting here just might promp the experts to come up with a perfect solution for you .....

In the mean time : this article is all I could find, and may not even come close to what you are looking for :

https://www.techrepublic.com/article/how-to-add-a-trusted-certificate-authority-certificate-to-chrome-and-firefox/

more options

unfortunately modifying security.enterprise_roots.enabled to TRUE is a legacy solution, it seems. Now with new Firefox ESR 60.X it can be deployed using Windows GPO.

Infact, setting the GPO to enabled, as I did, it triggers security.enterprise_roots.enabled to be TRUE and locked. But my certificates aren't imported.

more options

So a couple things could be going on here.

1. We weren't reading intermediate certificates from the Windows store (this has been fixed).

2. It could be a client certificate?

Could you try a currently nightly Firefox build and see if it's still a a problem? If so, we might want to look at the cert.

Thanks.

more options

See also:

Maybe also check the Browser Console for related message (don't know whether GPO errors show in this console).

more options

what do you mean by: 2. It could be a client certificate?

Do I have to import certificates in Computer's o User's store?

For the moment I'm off, I will try to log something in next weekend

more options

> what do you mean by: 2. It could be a client certificate?

It's probably not if you don't know what I meant :)

> Do I have to import certificates in Computer's o User's store?

Yes, and it sounds like you already have. The certificates from the OS will not show up in Firefox, they will just work.

more options

Yes, and it sounds like you already have. The certificates from the OS will not show up in Firefox, they will just work. </blockquote>

No, I mean, do Firefox read from User OR Computer store? Or both? Windows has two stores.

more options

> No, I mean, do Firefox read from User OR Computer store? Or both? Windows has two stores.

It should read from both. But you won't see them in Firefox settings.

more options

Maybe I figured it out... I placed my (intermediate) root CA public cert into the Computer's Personal Store, and now it seems to work..

Am I right to assume Firefox reads from the Personal store only, and not from the others ?

more options

We only read added certs, not built in certs, yes.

But it should read from the computer store.

more options

it's working on a W10 workstation, but on W7 clients not working, no matter where I put my certs

more options

What does about:policies show on your Windows 7 machines?

more options

It says it can't display the page

more options

about:policies requires Firefox 63 or later, so if these devices use Firefox 60 ESR then about:policies isn't available. This only leaves the Browser Console and the about:config to check the state of security.enterprise_roots.enabled and possibly the Certificate Manager.

more options

I tried both, no luck in finding some logs concerning the enforced policy..

more options

Dark345: So where are you with things right now? What's still not working?

more options

still no luck. GPO is active, w7 clients refused to load from windows computer store, I tried everything. i will try to load from a file instead.

more options

That's really odd. I'm betting it's related to intermediate certs. Would you consider opening a bugzilla bug so we could debug? We can provide instructions on how to log.

https://developer.mozilla.org/en-US/docs/Mozilla/Developer_guide/Gecko_Logging

set MOZ_LOG=pipnss:4,certverifier:4 set MOZ_LOG_FILE="c:\logs\log.txt"

See:

https://github.com/mozilla/policy-templates/issues/291