Installing Certificates Into Firefox

There are lots of organizations that use their own certificate authorities (CAs) to issue certificates for their internal servers. Since Firefox does not use the operating system's certificate store by default, these have to be manually added into Firefox. This page will cover how to get those CAs into Firefox.

Experimental Built-in Windows Support

As of version 49, Firefox can be experimentally configured to automatically search for and import CAs that have been added to the Windows certificate store by a user or administrator. To do so, set the preference "security.enterprise_roots.enabled" to true. In this mode, Firefox will inspect the HKLM\SOFTWARE\Microsoft\SystemCertificates registry location (corresponding to the API flag CERT_SYSTEM_STORE_LOCAL_MACHINE) for CAs that are trusted to issue certificates for TLS web server authentication. Any such CAs will be imported and trusted by Firefox, although note that they may not appear in the Firefox's certificate manager. It is expected that administration of these CAs (e.g. trust configuration) will occur via built-in Windows tools or other 3rd party utilities. Note also that for such changes to take effect in Firefox either the preference will have to be toggled off and on again or Firefox will have to be restarted. As this feature evolves, this may be handled automatically for ease of use.

As of version 52, Firefox will also search the registry locations HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates and HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates (corresponding to the API flags CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY and CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE, respectively).

Credits

The original content in this wiki page was copied (with permission) from Mike Kaply's Blog.

CCK2

The easiest way to get your CAs into Firefox is to use CCK2. CCK2 allows certificate authorities and server certificates to be installed into the browser. It supports PEM, DER and text. It also allows you to designate certificate overrides (sites where certificate errors are ignored). Just go to the certificate page and point to either a URL or a local file where the certificate is contained.

• CCK2 is a Firefox Add-On
• CCK2 Support

AutoConfig via JavaScript

If you're using AutoConfig without CCK2, you can still use the API that the CCK2 uses to install certificate authorities. Here's what it looks like to install the cacert.org root certificate:

1. var certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB);
2. var certdb2 = certdb;
3. try {
4. certdb2 = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB2);
5. } catch (e) {}
6. cert = "MIIHPT...zTMVD"; // This should be the certificate content with no line breaks at all.
7. certdb2.addCertFromBase64(cert, "C,C,C", "");

The three Cs mean to trust the certficate for servers, email and objects. The third parameter is the name, but it is ignored. If you want to install binary certificates, things get more complicated. In that case, I'd definitely recommend the CCK2.

PolicyPak

PolicyPak supports adding certificate authorites to Firefox via Group Policy.

Preload the certificate databases

Some people create a new profile in Firefox, install the certificates they need, and then distribute the various db files (cert8.db, key3.db and secmod.db) into new profiles using this method. This is not the recommended approach, and this method only works for new profiles.

certutil

If you're a real diehard, you can use certutil to update the Firefox certificate databases from the command line.