1482075 - Enable security.enterprise_roots.enabled optional for client certificates

Status: RESOLVED DUPLICATE of bug 1120350

(Core :: Security: PSM, defect)

Description

[Markus Schraeder]

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75 Safari/537.36

Steps to reproduce:

If you import into the operating system on windows or mac an client certificate, it is usable on chrome and internet explorer/ie but not on firefox. This is caused by the internal certification store of firefox. Cause of the removing of the keygen-tag, the last remaining ability to easily import client certificats on firefox into its internal store, this is now a problem for users wanting to use firefox for client certificates.


Actual results:

Its just not possible to esily use client certificates anymore on firefox anymore, only the for mostly 
 users unmanageable way over the settings still works, also if the a .p12 file was imported into the browser. Firefox also has no support at all to import a .p12 as the other browsers (chrome, ie, edge, ...) has.


Expected results:

As https://bugzilla.mozilla.org/show_bug.cgi?id=1314010 already said, the security.enterprise_roots.enabled should not be enabled by default, which would resolv this issue.

Maybe it is an option to just use the certification store of windows by default for client certificates? Why this should be an security issue?

The other possible solution would be to give a way to import a pkcs#12 file into the certication store of firefox - why does any other browser on windows support this, and firefox not? There is a GUI in firefox to just import a whole CA, why not a client certificat anymore?

Comment 1

[Markus Schraeder]

Or maybe you make an optional <a href="https://" usewindowscerts=1> link option in which you can say: Try to authenticate with windows certification store client certificates?

Comment 2

[Hani Yacoub, Desktop QA]

I am going to assign the "Core: Security:PSM" component for it and hopefully someone with more knowledge in this area will a look over this.

Comment 3

[Markus Schraeder]

Thanks... and sorry for my bad english in the first report. Here is it again in better:

Steps to reproduce:

If you import into the operating system on Windows or MacOSX a client certificate via a simple .p12 file via any browser (also firefox), it is usable on chrome, internet explorer, edge and also safari but not on firefox. This is caused by the internal certification store of firefox. By the removing of the keygen-tag the last remaining ability to easily import client certificats on firefox into its internal store gets lost, so there is no easy way anymore for users wanting to use firefox to use client certificates.

Actual results:

Its will not be possible to esily use client certificates on firefox; the workaround by importing via the settings dialog is for most users just unmanageable.

Firefox also has no direct support to import a .p12 into its used certification store as the other browsers (chrome, ie, edge, ...) have over the operating system and the mentioned downloading of a .p12 file.

On the other hand there is support do import a who CA with some clicks; a huge security step!

Try yourself, just enter in a firefox browser:

  https://demo01.cryptoweb.eu/cacrt.sign.crt

The importing of a client certificate is a very small step compared to a import of a whole CA! This is realy security related. So why not allow to import client certificates the same way as importing a CA?

Expected results:

As https://bugzilla.mozilla.org/show_bug.cgi?id=1314010 already discoverd, just enabling the security.enterprise_roots.enabled option by default, which would also enable client certificates of the operating instation, is not an option. Maybe it is an option to just use the certification store of windows by default for client certificates? Why this should be an security issue?

The other possible solution would be to give a way to import a pkcs#12 file into the certication store of firefox - if you can import a whole CA in some clicks, why not a client certificate?