Invalid cert can be imported as a CA cert, if it is already imported as an enterprise cert




6 months ago
6 months ago


(Reporter: yuki, Unassigned)



Firefox Tracking Flags

(firefox-esr60 affected, firefox64 affected)



(2 attachments)



6 months ago
Generally Firefox's cert manager disallows to import a CA cert if it is not acceptable as a CA, for example a self-signed cert for server authentication. However, when it is already imported as an enterprise cert via Active Directory's group policy feature, it can be imported as a CA cert without no such error message.

I think this is not a critical but confusable.

# Steps to reproduce (on Windows 10):

1. Prepare a self-signed cert just for server authentication.
   (You can skip these steps if you use the attached file
   1-1. Go to
   1-2. Click the "More..." button.
   1-4. Scroll down and select text from "-----BEGIN CERTIFICATE-----"
        to "-----END CERTIFICATE-----".
   1-5. Copy and paste the text to a text editor.
   1.6. Save it as a cert file "self-signed.badssl.crt".
2. Set it as an enterprise cert provided via Active Directory's group policy.
   (You can skip these steps if you use the attached file
   2-1. Double click the file "self-signed.badssl.crt" to open it by
        the cert viewer of the Windows itself.
        Then please remember the fingerprint hex, for example: "7a57d3243..."
   2-2. Click the "Install Certificate" button.
        Then cert importer wizard starts.
   2-3. Choose the store for the current user and click "Next".
   2-4. Choose the second choice to specify cert store manually,
        and choose "Trusted Root Certification Authorities".
        Then click "Next".
   2-5. Click "Finish".
   2-6. Start regedit.exe with admin privilege.
   2-7. Go to "Computer\HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates
        \Root\Certificates" and find a sub key for the imported cert.
        The name of the sub key is same to its fingerprint hex, for example:
   2-8. Export the sub key to a file "self-sighed.badssl.reg".
   2-9. Open the file by a plain text editor supporting UTF-16LE.
   2-10. Replace the path of the key from "Computer\HKEY_CURRENT_USER\Software
         \Microsoft\SystemCertificates\Root\Certificates" to
   2-11. Save the change.
   2-12. Double-click the file and import it to the registry.
3. Start Firefox.
4. Go to "about:config" and set "security.enterprise_roots.enabled" to "true".
5. Restart Firefox.
6. Open "Tools" => "Options".
7. Go to the certificates manager: "Privacy & Security" => "Certificates" =>
   "View Certificates"...
8. Choose the "Authorities" tab.
9. Click the "Import..." button.
10. Choose the cert file "self-signed.badssl.crt.

# Actual result:

A "Downloading Certificate" dialog is opened and you can import it as a CA.

# Expected result:

An error message "This is not a certificate authority certificate, so it can’t
be imported into the certificate authority list." is shown, and importing operation is rejected.

Comment 1

6 months ago
Component: Security → Security: PSM

Comment 2

6 months ago
By the way, there is one more difference about such a self-signed cert
for server authentication imported as an enterprise cert, between Firefox
and IE/Edge. After the step 2 (preparing a situation that the cert is
detected as an enterprise cert), IE (Edge) doesn't report "bad cert" error
for the website "". On the other hand,
Firefox still shows a cert error for the website and you need to add a
security exception for the site manually to show its contents, despite
the cert was correctly imported from the registry. (I verified that by
logging with "set MOZ_LOG=pipnss:5".)

Initially I got a question from my client company about such an odd difference.
I'm guessing that NSS reports the cert error on this case because the issuer
of the server cert (it equels to the self-signed cert itself) doesn't have
a CA flag. I don't know how Firefox should treat such a special case, so
I've filed this bug just about an odd behavior of the certificates manager.
Should I file another bug for the original problem above?


6 months ago
status-firefox-esr60: --- → affected
I agree it's confusing but it doesn't ultimately matter, because Firefox will never build a validated certificate chain to that "root" because, as you said, it's not a valid root. Bug 1431850 should address this in any case by not showing that certificate in the authorities section.
Last Resolved: 6 months ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1431850
You need to log in before you can comment on or make changes to this bug.