Hi, so, policies are working like a charm so far. Firefox picks changes up nicely, really like it. Thanks for implementing that!! - - - - - - - As for the issue: When browsing my site I still receive ""Peer’s Certificate issuer is not recognized. " SEC_ERROR_UNKNOWN_ISSUER" though. Chrome also uses Windows Store, works fine. IE works fine. The certificate is deployed via GPO, so it resides in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates (note the "Policies" in the path!), which might be an indication for trouble depending on the implementation of "use windows store". The environment is a corporate Windows domain. The cert has been created with CN -> HOST.something.local alias -> CNAME.something.local, CNAME, HOST Version 3 PKCS #1 SHA-256 With RSA Encryption The site is called like this -> https://CNAME Note: The local client's DNS settings will apply something.local. - - - - - - - Funnily enough, when calling CNAME, CNAME.something.local or HOST -> I only get SEC_ERROR_UNKNOWN_ISSUER With HOST.something.local (so the CN in the cert) this gets emitted too, as well as "The certificate is only valid for the following names: CNAME.something.local, CNAME, HOST". Another issue? SAN sounds very much like "additional" names to me?! So I don't get why this would occur at all. - - - - - - - Version is 60.1.0 x64. Looking forward to ideas. "Policy actually being applied?" Yep, I see it reflected in about:config and the setting is also correctly being locked :) Best regards