Skip to main content
Solved

How to: Firefox trusting company certificates

  • August 25, 2017
  • 13 replies
  • 67 views
A
Forum|alt.badge.img+9

Firefox manages certificates separated from the system certificates that are used by Safari or Chrome. To circumvent the issue that users are presented with the "certificate not trusted, add exception" notification, it is possible to add the certificates automated to the users firefox installations by utilizing the following commands: Importing Certificates on Firefox & code snippet for looking for the profile name

I know that there is also the CCK utility, but that is also more or less a pain in the a**, especially when you want to maintain firefox installations that are already existing (and have a filled user profile).

Firefox now provides the possibility to trust certificates that are stored in the system keychain by setting the key "about:config", "security.enterprise_roots.enabled" to TRUE. Mozilla Help

This setting should also be stored somewhere in prefs.js, but i have not figured out how to fiddle around with this file without ruining the user profile.

Now my question:
Does someone know a handy way to set this setting on all machines without destroying everything?

Best answer by AndreasRumpl

SOLVED, but some bits needed to come together:

With Firefox 64 it is now possible to trust root certificates that are in the system certificate store
https://wiki.mozilla.org/CA/AddRootToFirefox

Also with Firefox 64 it is now possible to not only edit and distribute settings via the about:config (firefox config editor), but also by using .json files
https://support.mozilla.org/en-US/kb/customizing-firefox-using-policiesjson

AND even better, it is also possible to use configuration profiles: "Policies can be specified using the Group Policy templates on Windows or configuration profiles on macOS (https://github.com/mozilla/policy-templates/tree/master/mac), or by creating a file called policies.json."
https://github.com/mozilla/policy-templates/blob/master/README.md

Here you can find the example plist with all currently possible keys ("IMPORTANT: This file is in active development along with the policies in Firefox. To get the policy information that corresponds to a specific release, go to https://github.com/mozilla/policy-templates/releases."
https://github.com/mozilla/policy-templates/blob/master/mac/org.mozilla.firefox.plist

--> The important part regarding certificates is:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>EnterprisePoliciesEnabled</key>
    <true/>
    <key>Certificates</key>
    <dict>
        <key>ImportEnterpriseRoots</key>
        <true/>
    </dict>
</dict>
</plist>

You can simply edit the .plist for your needs and then upload it to the JSS (config profile - custom settings, preference domain is org.mozilla.firefox)

Just distributed this to our testing machines and it seems to work (finally!)

    S
    M

    13 replies

    D
    Forum|alt.badge.img+3
    • Durkin
    • New Contributor
    • September 6, 2017

    I am very interested in this as well. I am having the same issues everyone else has and the old posts about CCK are not helpful.

    A
    S
    Forum|alt.badge.img+11
    • swapple
    • Valued Contributor
    • December 8, 2017

    watching this one also

    A
    Forum|alt.badge.img+9
    • AndreasRumpl
    • Author
    • Contributor
    • Answer
    • January 25, 2019

    SOLVED, but some bits needed to come together:

    With Firefox 64 it is now possible to trust root certificates that are in the system certificate store
    https://wiki.mozilla.org/CA/AddRootToFirefox

    Also with Firefox 64 it is now possible to not only edit and distribute settings via the about:config (firefox config editor), but also by using .json files
    https://support.mozilla.org/en-US/kb/customizing-firefox-using-policiesjson

    AND even better, it is also possible to use configuration profiles: "Policies can be specified using the Group Policy templates on Windows or configuration profiles on macOS (https://github.com/mozilla/policy-templates/tree/master/mac), or by creating a file called policies.json."
    https://github.com/mozilla/policy-templates/blob/master/README.md

    Here you can find the example plist with all currently possible keys ("IMPORTANT: This file is in active development along with the policies in Firefox. To get the policy information that corresponds to a specific release, go to https://github.com/mozilla/policy-templates/releases."
    https://github.com/mozilla/policy-templates/blob/master/mac/org.mozilla.firefox.plist

    --> The important part regarding certificates is:

    <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>EnterprisePoliciesEnabled</key>
    <true/>
    <key>Certificates</key>
    <dict>
        <key>ImportEnterpriseRoots</key>
        <true/>
    </dict>
</dict>
</plist>

    You can simply edit the .plist for your needs and then upload it to the JSS (config profile - custom settings, preference domain is org.mozilla.firefox)

    Just distributed this to our testing machines and it seems to work (finally!)

    unknown_err
    dlondon
    S
    A
    Forum|alt.badge.img+10
    • ammonsc
    • Contributor
    • September 30, 2019

    Does anyone know what the key pair is for browser.urlbar.autoFill I want to turn that to False.

    T
    Forum|alt.badge.img+14
    • tthurman
    • Valued Contributor
    • November 21, 2019

    Thank you for this! @AndreasRumpl

    @ammonsc You may have to do this with a ../default/pref <filename>.js file. Using AutoConfig or just a config.js file.

    Regards,
    TJ

    J
    Forum|alt.badge.img+4
    • jorge_
    • Contributor
    • July 9, 2020

    How would i go about adding the following to this plist?

    Enable support for client certificates stored on macOS and Windows by setting the experimental preference security.osclientcerts.autoload to true.

    i attempted it myself, but doesnt seem to populate into firefox about:config
    the purpose of this is so that firefox works with okta device trust which requires user certs in keychain.

    H
    Forum|alt.badge.img+7

    @jorge.blandon As mentioned by AndreasRumpl just create the Plist file using the above mentioned settings and it will automatically import the Certificate from keychain.

    N
    Forum|alt.badge.img+5
    • NerdMusk
    • New Contributor
    • October 1, 2020

    Would like to add that you can instead use the following json schema instead of uploading a plist:

    {
  "policies": {
    "Certificates": {
      "ImportEnterpriseRoots": true | false
    }
  }
}
    S
    Forum|alt.badge.img+9
    • spowell01
    • Contributor
    • March 12, 2021

    We are trying to get our Securly filter certificate to be trusted in firefox and am not having much luck using the json schema above. I have it deployed exactly as shown, with only the "true" value configured. Firefox just fails to verify any website certificates and when i check the about:config its obvious the security.enterprise_roots.enabled is still set to false. Any ideas? we are testing on M1 hardware with Big Sur.

    J
    Forum|alt.badge.img+14
    • jtrant
    • Honored Contributor
    • March 12, 2021

    @spowell please share the XML from your PLIST. This is working fine for me on an M1 Mac.

    Do your certificates meet Apple's validity and cipher strength requirements? Validity shouldn't be an issue if you are pushing them via MDM, but cipher strength will be.

    S
    Forum|alt.badge.img+9
    • spowell01
    • Contributor
    • March 26, 2021

    I found a very basic error in the plist I was uploading and after correcting that the filter was working as expected in FireFox. Thanks for your response @jtrant

    L
    Forum|alt.badge.img
    • Lalitha
    • New Contributor
    • April 27, 2022

    How would i go about adding the following to this plist?

    Enable support for client certificates stored on macOS and Windows by setting the experimental preference security.osclientcerts.autoload to true.

    i attempted it myself, but doesnt seem to populate into firefox about:config
    the purpose of this is so that firefox works with okta device trust which requires user certs in keychain.


    Hi, @jorge_ 

    Were you able to solve this for Okta device trust and Firefox? I have the exact same requirement and modifying the plist did not seem to work for me.

    Thanks in advance.

     

    H
    Forum|alt.badge.img+5
    • hepvd
    • Contributor
    • October 9, 2023

    I found a very basic error in the plist I was uploading and after correcting that the filter was working as expected in FireFox. Thanks for your response @jtrant


    Mind sharing the plist ?

    Terms & ConditionsCookie settingsAccessibility statement