Skip to Content

Firefox cannot access root CA certificate distributed with MS Group Policies

Hi All,

We are implementing SSL for AS ABAP with the certificate signed by Secure Login Server 2.0. After the root CA certificate is exported from the secure login server and distributed to clients using Microsoft Group Policies, the certificate cannot be accessed with Firefox, resulting in the warning about the "invalid security certificate" (The certificate is not trusted because the issuer certificate is unknown). IE and Chrome can access the certificate in certificate store so there is no warning shows.

According to the requirement:

  • The manual installation of the root CA certificate in Firefox certificate store on each individual clients is not possible
  • No add-on should be installed in the browser, including Firefox Secure Login Security Module Plug-in (downloaded from Secure Login Server)

What are other available options to import the root CA certificate to Firefox browser on many workstations on the same domain?

I would be very grateful for any contribution regarding this issue.

Best regards,

Duy

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

1 Answer

  • Posted on Mar 30, 2015 at 11:54 AM

    Hello Duy,

    It is an interesting problem, I was keen to understand why its happening. I searched on google and found the following:

    IE & Chrome use the Windows OS root certificate store as a valid repository to build the certificate chain and hence when you add a new root certificate via distribution, they are automatically accessible and hence it would work.

    FireFox doesn't trust the OS root certificate store, as FireFox assumes that any user with sysadmin privileges may be able to update the Windows root certificate store. So if your system was compromised, a hacker may add a fake root certificate into your OS root certificate store and trick you into believing that the site you are accessing was a legitimate one.

    This is documented in the Mozilla thread (scroll to the bottom half).

    https://bugzilla.mozilla.org/show_bug.cgi?id=432802

    Although it was reported as a bug, the security admins / members / developers of the mozilla project say that this won't be added to mozilla in the future too.

    So unfortunately, it looks like export of root certificate store from IE and import into Mozilla maybe the only option, or the other option that you suggested.

    Regards,

    Siddhesh

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.