Group Policy and Firefox CAs

By +Kyle
in Microsoft (Windows)

 Share

Recommended Posts

Mentor

+Kyle Subscriber¹

Posted
  • Subscriber¹
Posted

I am attempting to deploy a CA across our WIndows network in my company but I am stuck on an issue with Firefox. I have deployed the policy to the entire domain and dropped the cert file in: 

 

Policy Object Name/Computer Configuration/Windows Settings/Security Settings/Public Key Policies/Trusted Root Certification Authorities

 

Every browser except for Firefox seem to be taking this. Now, my big question is how do I make this work in Firefox seeing as Firefox has it's own CA store.

 

Does anyone have any experience in deploying internal CAs to Firefox on an enterprise network? 

 

Our AD server is Server 2008 R2.

Link to comment
Share on other sites
Grand Master

+Zlip792 MVC

Posted
  • MVC
Posted

Try FirefoxADM - https://ick2.wordpress.com/2009/05/14/release-0-5-9-3/
 
or
 
Try this tutorial, I found - http://community.spiceworks.com/how_to/15158-firefox-trust-a-local-certificate-authority-for-all-users-and-computers & https://www.novell.com/communities/coolsolutions/push-certificate-authority-certificate-firefox-zenworks/

  • Aergan and +Kyle
  • Like 2
Link to comment
Share on other sites
Grand Master

Aergan

Posted
Posted

The dirty way I've done it is to preconfigure the latest Firefox release on a new profile with your imported CA's, then copy <firefox profile path>\cert8.db to your end users firefox default profile location. Firefox should then use this as the base for new profiles. You can also override an existing user's CA store if required. It's not pretty but it's the only cross-platform method i've been able to do across thin client versions.

  • Praetor and +Kyle
  • Like 2
Link to comment
Share on other sites
Mentor

+Kyle Subscriber¹

Posted
  • Author
  • Subscriber¹
Posted

 

I will take a look at this, Thank you for the resources. 

 

The dirty way I've done it is to preconfigure the latest Firefox release on a new profile with your imported CA's, then copy <firefox profile path>\cert8.db to your end users firefox default profile location. Firefox should then use this as the base for new profiles. You can also override an existing user's CA store if required. It's not pretty but it's the only cross-platform method i've been able to do across thin client versions.

 

Thanks for the advice. My real issue with this is the inability to do this at a mass scale across 1000 pcs quickly. I could probably bundle it in an MSI! But thank you for the information on cert8.db! That is really helpful!

Link to comment
Share on other sites
Grand Master

Praetor

Posted
Posted

most of the GPOs for the Firefox doesn't work with new versions. I'm currently trying the ESR one and so far it's not the perfect solution.

 

what i've done is to copy the prefs.js file (since 99% of the configs are saved in that) into each user roaming profile, but i can't copy the cert8.db since i have diferent certs for each user. And that is done only once, by a GPO. Since it's in the roaming profile, even if the machine is gone, all the configs aren't.

  • Aergan and +Kyle
  • Like 2
Link to comment
Share on other sites
This topic is now closed to further replies.
 Share
Go to topic listing