Skip to main content

Configuring Firefox to use the Windows Certificate Store

Tom Allen
  • Updated
  • min read

Deploying the Cisco Umbrella Root CA can be difficult for Firefox users, because there is no built-in way to centrally manage Firefox. This article describes how Firefox can be configured to trust certificates in the Windows certificate store. This makes certificate management via group policy much easier in the long run.

The following guidance is provided 'as is' and cannot be directly supported by Umbrella beyond what is outlined below.

 

Use the Windows certificate store

As of FF49, a new option has been included which allows Firefox to trust Root authorities in the Windows certificate store.  This means that certificates can be deployed via group policy as normal and Firefox will trust the same Root authorities that Internet Explorer trusts.  For more details see here:
https://bugzilla.mozilla.org/show_bug.cgi?id=1265113

Unfortunately, Mozilla have decided not to turn this feature on by default, so this method still requires some other configuration. To enable this setting the security.enterprise_roots.enabled must be set to true.  For more details see here:
https://bugzilla.mozilla.org/show_bug.cgi?id=1314010

To enable this feature on a single computer:

  • In Firefox, type 'about:config' in the address bar
  • If prompted, accept any warnings
  • Right-click to create a new boolean value, and enter 'security.enterprise_roots.enabled' as the Name
  • Set the value to 'true'

To enable this feature on multiple computers you will need to use another method (see below) to lock the preferences in Firefox. The benefit is that once enabled you can easily manage certificates using group policy in future.

 

Locking Firefox preferences

You can use a preferences file to configure the security.enterprise_roots.enabled setting. To do so use the attached files:

  • The 'umbrella.cfg' file must be placed in the root of the Firefox directory. For example:
    C:\Program Files\Mozilla Firefox\umbrella.cfg
  • The 'local-settings.js' file must be placed in the \defaults\pref sub-directory. For example:
    C:\Program Files\Mozilla Firefox\defaults\pref\local-settings.js

The contents of local-settings.js should be as follows:

 pref("general.config.obscure_value", 0); 
 pref("general.config.filename", "umbrella.cfg");

The contents of the umbrella.cfg file should be as follows:

 //
 lockPref("security.enterprise_roots.enabled", true);

NOTE:  If creating the above files manually, they must be ANSI encoded.

 

Distributing Firefox preferences files via Group Policy

Group policy can be used to distribute the above files.  Note, this process requires that Firefox is installed to the default location on the client computers.

  1. Add the files 'umbrella.cfg' and and 'local-settings.js' to a network share.  Ensure that the share has read permissions for 'Domain Computers'
  2. Create/Edit a group policy in Group Policy Management
  3. Edit the settings in 'Computer Configuration > Preferences > Windows Settings > Files'
  4. Right-click and select 'New File'
  5. Point the 'Source File' to umbrella.cfg on the Network Share
  6. Point the 'Destination' file to be C:\Program Files\Mozilla Firefox\umbrella.cfg and 'Apply'
  7. Repeat the above step to copy the same file to C:\Program Files (x86)\Mozilla Firefox\umbrella.cfg
  8. Repeat these steps to copy 'local-settings.js' to C:\Program Files\Mozilla Firefox\defaults\pref\local-settings.js
  9. Repeat these steps to copy 'local-settings.js' to C:\Program Files (x86)\Mozilla Firefox\defaults\pref\local-settings.js

 

Distributing Firefox preferences with the Firefox installer

These files can also be copied by script to the correct location during installation, if you are performing a scripted Firefox installation.  Details on performing a scripted installation of Firefox are here:
https://wiki.mozilla.org/Installer:Command_Line_Arguments

The full offline installer for Firefox is required for a scripted installation.  This is available here:
https://www.mozilla.org/en-US/firefox/all/

 

(Optional) Distributing Firefox settings with CCK2

CCK2 is another popular method to create locked firefox configurations.  CCK2 is a Firefox add-on with a GUI which allows you to set many different Firefox preferences:
https://mike.kaply.com/cck2/

CCK2 will produce AutoConfig settings which can be extracted into the Firefox installation directory.
Optionally, CCK2 can also export these settings as a Firefox extension that can be distributed to users.

 

 

Was this article helpful?

3 out of 3 found this helpful
Have more questions? Submit a request

Related articles