Enterprise root certs option not working in linux
Categories
(Core :: Security: PSM, defect, P1)
Tracking
()
People
(Reporter: mozilladev, Unassigned)
Details
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Safari/605.1.15
Steps to reproduce:
I am trying to access sites whose certificates are issued by a local CA in firefox 70 version in RHEL 7 machine. I have added this CA cert to linux system certificate store. But I am not able to access the site and I see MOZILLA_PKIX_ERROR_MITM_DETECTED error in the webpage.
In windows and Mac I was able to make it work by setting the option security.enterprise_roots.enabled to true in preferences file and adding the root cert in system key store. But seems this option is not available in linux.
If I import this certificate manually in firefox UI (Preferences -> Certificate Manager -> Authorities and Import), I was able to access the site.
To make this work programmatically, I have created policies.json file with the following contents, and placed in distribution folder in the firefox location.
{
"policies": {
"Certificates": {
"ImportEnterpriseRoots": true
"Install": ["cert.crt", "cert1.pem"]
}
}
}
Actual results:
The website is not trusted by the browser.
Expected results:
The website should be accessible, as the root cert for this site, should have been trusted by firefox, by ImportEnterpriseRoots option, or the certificate location.
Comment 1•5 years ago
|
||
Bugbug thinks this bug should belong to this component, but please revert this change in case of error.
Reporter | ||
Updated•5 years ago
|
Reporter | ||
Updated•4 years ago
|
Reporter | ||
Updated•4 years ago
|
Are you using Firefox as built by Mozilla or as re-packaged by RedHat?
Reporter | ||
Comment 3•4 years ago
|
||
I have downloaded and install Firefox from Mozilla site. But now I was able to make it work giving the complete path, instead of copying the cert to the given location and giving the path.
But still I couldn't make it work with ImportEnterpriseRoots option. In RHEL 7 I have added the root cert to the cert stores in /etc/pki/ca-trust/extracted/pem location and also I tried adding $HOME/.pki/nssdb/ with CT,C,C options. But still I see that the Firefox is not picking up the new root cert added. Could you please let me know is this a known issue or I am adding the cert in the wrong place.
Reporter | ||
Updated•4 years ago
|
The enterprise roots feature is not available for the Mozilla version of Firefox for linux (and we have no plans to implement it). You can either use the repackaged RHEL version, which should use the system CA store, or you can import a PKCS#11 module that has the same effect, like p11-kit. See also bug 1505026.
Comment 5•3 years ago
|
||
[Tracking Requested - why for this release]:
Description:
Please provide an explanation of the feature or change. Include a description of the user scenario in which it would be used and how the user would complete the task(s).
Screenshots and visual UI specs are welcome, but please include sufficient accompanying explanation so that blind members of the accessibility team are able to understand the feature/change.
How do we test this?
If there is an implementation to test, please provide instructions for testing it; e.g. setting preferences, other preparation, how to trigger the UI, etc.
When will this ship?
Tracking bug/issue:
Design documents (e.g. Product Requirements Document, UI spec):
Engineering lead:
Product manager:
The accessibility team has developed the Mozilla Accessibility Release Guidelines which outline what is needed to make user interfaces accessible:
https://wiki.mozilla.org/Accessibility/Guidelines
Please describe the accessibility guidelines you considered and what steps you've taken to address them:
Describe any areas of concern to which you want the accessibility team to give special attention:
[Tracking Requested - why for this release]:
[Tracking Requested - why for this release]:
[Tracking Requested - why for this release]:
Release Note Request (optional, but appreciated)
[Why is this notable]:
[Affects Firefox for Android]:
[Suggested wording]:
[Links (documentation, blog post, etc)]:
Updated•3 years ago
|
Updated•3 years ago
|
Description
•