Set up Certificate Authorities (CAs) in Firefox

Firefox for Enterprise Firefox for Enterprise 최종 변경일: 42%의 사용자가 유용하다고 평가했습니다.
아직 누구도 이 문서의 번역에 참여하지 않았습니다. SUMO 문서 변역에 참여하는 방법에 대해 이미 알고 계시다면, 번역을 시작해 보세요 . SUMO 문서를 번역하는 방법에 대해 알고 싶으시면, 여기서 시작하세요.

This article is intended for IT administrators who wish to set up Firefox on the computers within their organization.

If your organization uses private certificate authorities (CAs) to issue certificates for your internal servers, browsers such as Firefox might display errors unless you configure them to recognize these private certificates. This should be done early on, so your users won’t have trouble accessing websites.

You can add these CA certificates using one of the following methods.

Use built-in support for Windows, macOS and Android (recommended)

By default, Firefox on Windows, macOS and Android will search for and make use of third-party CAs that have been added to the operating system's certificate store. So, if you have configured your operating system to trust your organization's private CAs, Firefox should trust those CAs with no additional configuration required. This feature can be controlled in the Privacy & Security tab of about:preferences using the Allow Firefox to automatically trust third-party root certificates you install checkbox. Alternatively, the security.enterprise_roots.enabled preference in about:config controls this feature.

Windows Enterprise support

Firefox can be configured to automatically search for and import CAs that have been added to the Windows certificate store by a user or administrator.

  1. Type about:config in the address bar and press EnterReturn.
    A warning page may appear. Click Accept the Risk and Continue to go to the about:config page.
  2. Search for the security.enterprise_roots.enabled preference.
  3. Click the Toggle Fx71aboutconfig-ToggleButton button next to this preference to change its value to true.
  4. Restart Firefox.

Firefox will inspect the HKLM\SOFTWARE\Microsoft\SystemCertificates registry location (corresponding to the API flag CERT_SYSTEM_STORE_LOCAL_MACHINE) for CAs that are trusted to issue certificates for TLS web server authentication. Any such CAs will be imported and trusted by Firefox, although they may not appear in Firefox's certificate manager. Administration of these CAs should occur using built-in Windows tools or other third-party utilities.

Firefox will also search the registry locations HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates and HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates (corresponding to the API flags CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY and CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE, respectively).

macOS Enterprise support

This feature also works for macOS by importing roots found in the macOS system keychain.

Use policies to import CA certificates

An enterprise policy can be used to add CA certificates to Firefox.

  • Setting the ImportEnterpriseRoots key to true will cause Firefox to trust root certificates. We recommend this option to add trust for a private PKI to Firefox. It is equivalent to setting the security.enterprise_roots.enabled preference as described in the Use built-in support for Windows, macOS and Android (recommended) section above.
  • The Install key searches by default for certificates in the locations listed below. You can specify a fully qualified path (see the examples listed here). If Firefox does not find something at your fully qualified path, it will search the default directories:
    • Windows
      • %USERPROFILE%\AppData\Local\Mozilla\Certificates
      • %USERPROFILE%\AppData\Roaming\Mozilla\Certificates
    • macOS
      • /Library/Application Support/Mozilla/Certificates
      • ~/Library/Application Support/Mozilla/Certificates
    • Linux
      • /usr/lib/mozilla/certificates
      • /usr/lib64/mozilla/certificates

Linux

Using p11-kit-trust.so on Linux

Certificates can be programmatically imported by using p11-kit-trust.so from p11-kit (note that some distributions, such as Red Hat-based ones, already do this by default by shipping p11-kit-trust.so as libnsscbki.so).

This can be done by setting the SecurityDevices policy in /etc/firefox/policies/policies.json and adding an entry pointing to the p11-kit-trust.so location in the system, by manually adding it via the Security Devices manager in Preferences, or by using the modutil utility.

Preload the Certificate Databases (new profiles only)

Some users will create a new profile in Firefox, manually install the certificates they need, and then distribute the various .db files (cert9.db, key4.db and secmod.db) into new profiles using this method. This is not the recommended approach, and this method only works for new profiles.

Certutil

You can use certutil to update the Firefox certificate databases from the command line. Check the Microsoft support site for more information.

이 문서가 도움이 되셨습니까?

잠시만 기다려 주십시오...

문서 작성 및 변경에 도움 주신 분들

Illustration of hands

도움 주기

전문 지식을 성장시키고 다른 사람들과 공유세요. 질문에 답하고 지식 기반을 개선할 수 있습니다.

자세히 살펴보기