Important Notice: We're experiencing email notification issues. If you've posted a question in the community forums recently, please check your profile manually for responses while we're working to fix this.

On Monday the 3rd of March, around 5pm UTC (9am PT) users may experience a brief period of downtime while one of our underlying services is under maintenance.

Avatar for Username

Mozilla 도움말 검색

고객 지원 사기를 피하세요. 저희는 여러분께 절대로 전화를 걸거나 문자를 보내거나 개인 정보를 공유하도록 요청하지 않습니다. "악용 사례 신고"옵션을 사용하여 의심스러운 활동을 신고해 주세요.

자세히 살펴보기

이 쓰레드는 보존되었습니다. 만약 도움이 필요하시면 새로운 질문을 올려주세요.

Why is my self-signed certificate not recognized, even though it's in the Windows Certificate Store, and I've enabled security.enterprise_roots.enabled?

  • 3 답장
  • 1 이 문제를 만남
  • 1 보기
  • 최종 답변자: mg-t

mg-t
mg-t
more options

Hey all,

The certificate in question is one that's issued through TomCat, in accordance with [Confluence's instructions about how to issue a self-signed certificate](https://confluence.atlassian.com/doc/running-confluence-over-ssl-or-https-161203.html). I've also deviated from those instructions in order to add a Subject Alternative Name, so that Chrome doesn't complain.

As you may have guessed, this certificate is for a Confluence installation.

I've next used a Group Policy Object to deploy this certificate to every computer in our domain. Computers accessing the local Confluence website from Internet Explorer, Edge, and Chrome have no certificate errors. However, computers accessing this local Confluence website from Firefox (currently, version 57) give error: ``` https://[host.domain]:[port]/

Peer’s Certificate issuer is not recognized.

HTTP Strict Transport Security: false HTTP Public Key Pinning: false

Certificate chain: ```

I am aware of the [security.enterprise_roots.enabled](https://support.umbrella.com/hc/en-us/articles/115000669728-Configuring-Firefox-to-use-the-Windows-Certificate-Store) boolean flag, and have been able to enable it successfully. Specifically, there are some other internal websites that I didn't set up, but that we also distribute certificates for via Group Policy Objects. When this **security.enterprise_roots.enabled** is **true**, Firefox can visit those other internal websites without a certificate error, but when it is **false**, Firefox gives a certificate error when visiting them.

Hey all, The certificate in question is one that's issued through TomCat, in accordance with [Confluence's instructions about how to issue a self-signed certificate](https://confluence.atlassian.com/doc/running-confluence-over-ssl-or-https-161203.html). I've also deviated from those instructions in order to add a Subject Alternative Name, so that Chrome doesn't complain. As you may have guessed, this certificate is for a Confluence installation. I've next used a Group Policy Object to deploy this certificate to every computer in our domain. Computers accessing the local Confluence website from Internet Explorer, Edge, and Chrome have no certificate errors. However, computers accessing this local Confluence website from Firefox (currently, version 57) give error: ``` https://[host.domain]:[port]/ Peer’s Certificate issuer is not recognized. HTTP Strict Transport Security: false HTTP Public Key Pinning: false Certificate chain: ``` I am aware of the [security.enterprise_roots.enabled](https://support.umbrella.com/hc/en-us/articles/115000669728-Configuring-Firefox-to-use-the-Windows-Certificate-Store) boolean flag, and have been able to enable it successfully. Specifically, there are some other internal websites that I didn't set up, but that we also distribute certificates for via Group Policy Objects. When this **security.enterprise_roots.enabled** is **true**, Firefox can visit those other internal websites without a certificate error, but when it is **false**, Firefox gives a certificate error when visiting them.

글쓴이 mg-t 수정일시

모든 댓글 (3)

mg-t
mg-t 질문자
more options

Yikes, I guessed wrong on this forum's markdown

WestEnd
WestEnd
more options

Was there a certificated in FF that you saved as well? Sometimes sites ask you to confirm and save their certificated to access the site as well. Was that missed?

mg-t
mg-t 질문자
more options

Hey WestEnd, this Firefox hasn't saved any security exceptions.

That's by design, since I would prefer to handle certificates via Group Policy Objects, and the Microsoft Certificate Store.

To reiterate, Firefox does seem to be respecting the Microsoft Certificate Store when security.enterprise_roots.enabled is set to true, but not for this particular certificate issued through Tomcat.