[enterprise roots] trust system roots on linux
Categories
(Core :: Security: PSM, enhancement, P5)
Tracking
()
People
(Reporter: adam.kaplan, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [psm-backlog])
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Steps to reproduce:
- Added my company's trusted certificates to my host (Fedora 32 Silverblue):
a. Copy corporate cert to/etc/pki/ca-trust/source/anchors
b. Runupdate-ca-trust extract - Install flatpak Firefox from flathub:
$ flatpak install flathub org.mozilla.firefox
- Remove the default version of Firefox that ships with Fedora Silverblue:
$ rpm-ostree override remove firefox
- Reboot computer (to remove Fedora's version of Firefox)
- Open Firefox and visit a website which uses the self-signed company certificate as the root CA.
Actual results:
Firefox reports that the website is untrusted:
Error code: SEC_ERROR_UNKNOWN_ISSUER
Message: Peer’s Certificate issuer is not recognized.
Expected results:
Website should be trusted because the root CA certificate is trusted by the host system.
|
||
Comment 1•4 years ago
|
||
Bugbug thinks this bug should belong to this component, but please revert this change in case of error.
|
||
Comment 2•4 years ago
|
||
Firefox does not trust system roots by default. On Windows and macOS, you can enable the enterprise roots feature to make Firefox trust the system roots. On various flavors of linux, we don't have a way to do this yet. In the meantime, you can either import your root into your Firefox profile or use the Fedora repackaged version of Firefox, which as I understand, has modifications to trust the system roots.
| Comment hidden (advocacy) |
Description
•