Infrastruktur

Using Windows certificate store in Mozilla Firefox

02.01.2017 04:02

Lots of companies are using Mozilla Firefox in their corporate environment. Firefox came up with a great new feature in the latest version – it will support Windows enterprise trusted root certificates! No more need for adding certificates to Firefox seperatly using the keytool:

firefox-connection-not-secure

Just use the Windows Active Directory Group Policies to deploy your certificates – most of you already do this for use with Microsoft Internet Explorer and other software. To enable this great new feature Firefox introduced a new configuration parameter name security.enterprise_roots.enabled this needs to be set to true in the about:config page:

security-enterprise_roots-enabled

But theres one litte thing to know: Windows have multiple certifiacte stores (places where certificates are stored inside the registry and filesystem). Not only a user store and a machine store there is also a so called enterprise store. Active Directory Group Polices may store their certificates inside the enterprise store, depending on your deployment. Firefox currently only reads the machine store (a.k.a. system store) for validating certificates.

To overcome this limitation I created a small PowerShell snippet that will copy the certificates from the enterprise store into the system / machine store:

Copy-Item HKLM:\SOFTWARE\Microsoft\EnterpriseCertificates\ROOT\Certificates* HKLM:\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates -Recurse

Just put that line into a .ps1 file and let this executed as a computer startup script or using ESD system.
Please note that this needs to executed using administrative credentials or using the local system security context.

Addtional Information
To view the contents of the system store just browse the following registry hive:
HKLM:\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates
SystemCertificates
Each certificate will be represented as a seperate sub-key with the certificate thumbprint as the key name.

Michael Miklis

_

Autor

miklis_michael.jpg

Michael Miklis

Funktion: Senior Systems Engineer
Standort: Bechtle Systemhaus Neckarsulm

Meine Motivation:

Täglich treffe ich bei Kunden auf spannende und komplexe Aufgabenstellungen. Für die Bereiche Desktopvirtualisierung, Microsoft-Infrastruktur und Scripting möchte ich hiermit einen Einblick geben und andere Motivieren, auch Ihr Wissen zu teilen.


Stichwörter

active-directory  bechtle-blog  certificates  firefox  gpo  group-policies  powershell  windows 

 
 
 Cookie-Kontrolle.

Dieser Internetauftritt verwendet Cookies um Informationen auf Ihrem Client zu speichern.

Ihre Browsereinstellungen verhindern das Setzen von Cookies.
Ihre Browsereinstellungen erlauben das Setzen von Cookies.
Funktionale Cookies sind deaktiviert.
Funktionale Cookies sind aktiviert.
Zu den Einstellungen