1289516 - Add option to honor or import certificate authorities from OS cert store

Status: RESOLVED DUPLICATE of bug 1265113

(Core Graveyard :: Security: UI, defect)

Description

[Brian Lalonde]

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
Build ID: 20160604131506

Steps to reproduce:

1. Visit an https site using a certificate issued by a local certificate authority that exists in the OS certificate trusted authorities store.


Actual results:

Navigation is blocked by the Secure Connection Failed page. Individual sites can gradually be added as exceptions, but this probably disables ALL https cert chain validation for these sites.


Expected results:

Firefox should provide an option (disabled by default) that falls back to the OS' certificate authority list, or else provide a simple UI to import certs from that list in the Certificate Manager. Ideally, a button to enter this UI would appear on the Secure Connection Failed page, to allow possible remediation as easily as disabling https validation entirely for the site.

Firefox should not require users to export certificates from the OS list then import the certificate file, as this tends to require too much technical knowledge. Likewise, Firefox should not make disabling all certificate validation for a site the path of least friction, as that tends to become the default behavior. Ideally, Firefox shouldn't even require the user to know which certificates from the OS cert store should be used.

Comment 1

[Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)]

I'm assuming from your user agent you're on Windows. Luckily, this will soon be available for your platform - see bug 1265113 (it's been implemented but hasn't shipped in a release version yet).