Get unmatched data protection on the release cadence that suits you with Firefox for enterprise. Download ESR and Rapid Release. The ImportEnterpriseRoots key will cause Firefox to trust root certificates that are in the system certificate store as long as the key is set to “true”. We recommend this option to add trust for a private PKI to Firefox. It is equivalent to setting the ' security.enterpriseroots.enabled ' preference as described in the next section.
We ran into an issue where we had enabled HTTPS Inspection on our firewalls and Firefox was throwing up a certificate error for everyone. I had previously created a CA cert and pushed it out to everyone via GPO, but by default Firefox does not look at the Windows Certificate Store. This is how to change that, it may not be the most efficient way and feel free to suggest edits but this is how I got it working for us.
5 Steps total
Firefox Certificate Importenterpriseroots
Step 1: Create Enableroot.js using Notepad
When Firefox opens, it runs any .js scripts in the following location:
C:Program Files (x86)Mozilla FirefoxDefaultsPref - 64 Bit Machine
C:Program FilesMozilla FirefoxDefaultsPref - 32 Bit Machine
You will need to create a file called Enableroot.js (or similar) with the following contents:
/* Allows Firefox reading Windows certificates */
pref('security.enterprise_roots.enabled', true);
This file will need to end up in the above relevant location, the next steps will show how to do this via GPO.
Step 2: Create shared folder on DC
Create a shared folder, granting Everyone READ access, called EnableRoot (or similar) on one of your DC's, and drop the Enableroot.js file in this folder. So, the UNC path of this folder should be similar to:
DC1EnableRootEnableroot.js
What Is Importenterpriseroots
Step 3: Create (or edit) GPO to deploy this file
I had already created a GPO to deploy a CA cert across our domain, so I just edited this one. You can create a new one if you so wish.
Edit GPO, and navigate to: How to add bullets in word.
Computer ConfigPreferencesWindows SettingsFiles
Right click, select New then File. Set the Action to Create. In Source File type the UNC path to the shared Enableroot.js mentioned above. In Destination file you want one of the following:
C:Program Files (x86)Mozilla FirefoxDefaultsPrefenableroot.js - 64 Bit Machine
C:Program FilesMozilla FirefoxDefaultsPrefenableroot.js - 32 Bit Machine
Click ok. For me as I know we have both 32 and 64 bit machines I made a copy of this and in the copy I changed the destination to the other one (so 1 rule is c:program files, the other is c:program files (x86)).
Step 4: Link GPO to relevant OU's
I created the original GPO at domain level and edited the original one so I did not need to do this, but if you only want this to apply to certain machines you will need to link this GPO to the individual relevant OU's.
Step 5: TEST!
Find a machine that you know had previously been getting certificate errors in Firefox. reboot, log in and test. If successful, you should see that magical green padlock when going to www.google.co.uk or any other HTTPS site.
Alternatively of course you could just do a GPUPDATE /FORCE from the command prompt, but you will probably want to do it by rebooting to make sure if you tell a user to reboot it will work.
8 Comments
- CayenneJacob9339 Mar 17, 2017 at 04:23pm
Thanks for the guide. Download macos for bootable usb. Some of us use Firefox and we will be enabling SSL DPI on our firewalls after upgrading this summer, so bookmarking this for future reference.
- PimientoDolsey May 2, 2017 at 07:11pm
Thank You! This workaround has saved me so much time!
- Pimientotbrim Jul 18, 2017 at 11:27am
Fantastic solution. Instead of creating a shared folder I chose to use the SYSVOL..
- CayenneMrTartan Jul 18, 2017 at 12:32pm
I have spent ages looking for a good solution for this and finally I found it! I should have known someone here would have created this, great stuff!
I haven't deployed with GPO, instead I used PDQ deploy but just that simple file in step 1 has enabled something I've been struggling with for ages. The official FF ways are less than ideal.
For anyone else in my boat. We use Websense/Forcepoint as a web based proxy, this means you also need to deploy the cert file they provide. That has always worked with IE/Edge/Chrome but FF was a problem. Now deploying this has solved the problem completely.
Totally buying you a beer if we ever meet!
- SerranoBrad34 Oct 12, 2017 at 03:15pm
Glad I stumbled across this. Thanks for the post helped me out.
- PoblanoGlenn9657 Nov 17, 2017 at 11:12am
Just adding this as a further info: https://wiki.mozilla.org/CA:AddRootToFirefox as it may help someone
- PimientoNate9701 Jun 29, 2018 at 02:19pm
This doesn't appear to be working for me. I'm running version 61.0 and the .js file is in the appropriate location but I'm still not able to browse using Firefox.
- Datilgreggmh123 Feb 9, 2019 at 08:40pm
The new procedure as of mid-2018 is to use the Firefox group policy templates from Mozilla’s GitHub page (use the newest version): https://github.com/mozilla/policy-templates/releases, put the unzipped templates into the domain's central store (domainsysvolpoliciespolicydefinitions), then set Computer Config > Admin Templates > Mozilla > Firefox > Certificates > 'Import Enterprise Roots' to Enabled. Close and reopen Firefox.
If one needs to do it manually per machine, simply enter 'about:config' into the Firefox address bar, then double-click security.enterprise_roots.enabled to change it from False to True. Close and reopen Firefox.
Gregg