Windows domain + GPO cert deployment + Firefox ESR + GPO "FF: use Windows cert store"
Hi,
so, policies are working like a charm so far.
Firefox picks changes up nicely, really like it.
Thanks for implementing that!!
- - - - - - -
As for the issue:
When browsing my site I still receive ""Peer’s Certificate issuer is not recognized. " SEC_ERROR_UNKNOWN_ISSUER" though. Chrome also uses Windows Store, works fine.
IE works fine.
The certificate is deployed via GPO, so it resides in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates
(note the "Policies" in the path!), which might be an indication for trouble depending on the implementation of "use windows store".
The environment is a corporate Windows domain.
The cert has been created with
CN -> HOST.something.local
alias -> CNAME.something.local, CNAME, HOST
Version 3
PKCS #1 SHA-256 With RSA Encryption
The site is called like this -> https://CNAME
Note: The local client's DNS settings will apply something.local.
- - - - - - -
Funnily enough, when calling CNAME, CNAME.something.local or HOST -> I only get SEC_ERROR_UNKNOWN_ISSUER
With HOST.something.local (so the CN in the cert) this gets emitted too,
as well as "The certificate is only valid for the following names: CNAME.something.local, CNAME, HOST".
Another issue?
SAN sounds very much like "additional" names to me?! So I don't get why this would occur at all.
- - - - - - -
Version is 60.1.0 x64.
Looking forward to ideas.
"Policy actually being applied?" Yep, I see it reflected in about:config and the setting is also correctly being locked :)
Best regards
Izmjenjeno
Svi odgovori (5)
To use the Windows certificate store in Firefox you have to set the security.enterprise_roots.enabled
preference to true
. It's set to false
by default.
You can change this preference various different ways, the easiest of which is probably to set and lock it using an AutoConfig file.
Hope this helps.
Seems you answered exactly when I added this snippet yesterday:
> "Policy actually being applied?" Yep, I see it reflected in about:config and the setting is also correctly being locked :)
Any further ideas??
I can provide a TeamViewer session if necessary/desired.
Is this something you could possibly open a bug in bugzilla for?
We can get the team that worked on this feature involved to see if they can figure out what is going on.