cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Firefox cannot access root CA certificate distributed with MS Group Policies

Duy_Le_-_Islet_
Participant

on ‎03-30-2015 11:45 AM

0 Kudos

Hi All,

We are implementing SSL for AS ABAP with the certificate signed by Secure Login Server 2.0. After the root CA certificate is exported from the secure login server and distributed to clients using Microsoft Group Policies, the certificate cannot be accessed with Firefox, resulting in the warning about the "invalid security certificate" (The certificate is not trusted because the issuer certificate is unknown). IE and Chrome can access the certificate in certificate store so there is no warning shows.

According to the requirement:

  • The manual installation of the root CA certificate in Firefox certificate store on each individual clients is not possible
  • No add-on should be installed in the browser, including Firefox Secure Login Security Module Plug-in (downloaded from Secure Login Server)

What are other available options to import the root CA certificate to Firefox browser on many workstations on the same domain?

I would be very grateful for any contribution regarding this issue.

Best regards,

Duy

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

former_member185954
Active Contributor
‎03-30-2015 12:54 PM
0 Kudos

Hello Duy,

It is an interesting problem, I was keen to understand why its happening. I searched on google and found the following:

IE & Chrome use the Windows OS root certificate store as a valid repository to build the certificate chain and hence when you add a new root certificate via distribution, they are automatically accessible and hence it would work.

FireFox doesn't trust the OS root certificate store, as FireFox assumes that any user with sysadmin privileges may be able to update the Windows root certificate store. So if your system was compromised, a hacker may add a fake root certificate into your OS root certificate store and trick you into believing that the site you are accessing was a legitimate one.

This is documented in the Mozilla thread (scroll to the bottom half).

https://bugzilla.mozilla.org/show_bug.cgi?id=432802

Although it was reported as a bug, the security admins / members / developers of the mozilla project say that this won't be added to mozilla in the future too.

So unfortunately, it looks like export of root certificate store from IE and import into Mozilla maybe the only option, or the other option that you suggested.

Regards,

Siddhesh

Show replies
Show replies
Ask a Question