You would need to install Securly’s SSL certificate in Firefox to allow users to seamlessly browse HTTPS sites, and also help Securly decrypt them appropriately.
Deploying the Securly SSL Decryption Certificate to Firefox can be difficult because Firefox does not respect the Operating System settings and there is no native way to centrally manage Firefox. This article describes how Firefox can be configured to trust the Windows certificate store which makes certificate management much easier.
Note that the following guidance is provided 'as is' and cannot be directly supported by Securly beyond what is outlined in this article.
Use the Windows Certificate Store
With Firefox 49 a new option has been included which allows Firefox to trust the Windows certificate store. This means certificates can be deployed normally via group policy and Firefox will trust the same Root authorities that Internet Explorer and Edge trusts. For more details visit https://bugzilla.mozilla.org/show_bug.cgi?id=1265113
Unfortunately, this feature is not enabled by default, so this method still requires some additional configuration. To enable this setting the security.enterprise_roots.enabled must be set to true. For more details visit https://bugzilla.mozilla.org/show_bug.cgi?id=1314010
Enable feature on a single computer
- Type 'about:config' in the address bar of your Firefox browser
- If prompted, accept any warnings
- Right-click to create a new boolean value, and enter 'security.enterprise_roots.enabled' as the Name
- Set the value to 'true'
To enable this feature on multiple computers you will need to use the method below which will also lock the preferences in Firefox. The benefit is that once enabled you can easily manage certificates using group policy in the future.
Locking Firefox Preferences with Group Policy
You can use a preferences file to configure the security.enterprise_roots.enabled setting. To do so use the files attached at the end of this article.
- The 'securly.cfg' file must be placed in the root of the Firefox directory. For example:
C:\Program Files\Mozilla Firefox\securly.cfg
- The 'local-settings.js' file must be placed in the \defaults\pref sub-directory. For example:
C:\Program Files\Mozilla Firefox\defaults\pref\local-settings.js
- The local-settings.js file should look exactly like the snippet below:
- The securly.cfg file should look exactly like the snippet below:
Note that if you are creating the above files manually, then they must be ANSI encoded.
Distributing Firefox Preferences Files via Group Policy
Group policy can be used to distribute the above files.
Note that this process requires that Firefox is installed to the default location on the client computers.
- Add the files ‘securly.cfg' and and 'local-settings.js' to a network share. Ensure that the share has read permissions for 'Domain Computers'.
- Create/Edit a group policy in Group Policy Management
- Edit the settings in 'Computer Configuration > Preferences > Windows Settings > Files'
- Right-click and select 'New File'
- Point the 'Source File' to securly.cfg on the Network Share
- Point the 'Destination' file to be C:\Program Files\Mozilla Firefox\securly.cfg and 'Apply'
- Repeat the above step to copy the same file to C:\Program Files (x86)\Mozilla Firefox\securly.cfg
- Repeat these steps to copy 'local-settings.js' to C:\Program Files\Mozilla Firefox\defaults\pref\local-settings.js
- Repeat these steps to copy 'local-settings.js' to C:\Program Files (x86)\Mozilla Firefox\defaults\pref\local-settings.js
Enabling Firefox preferences on MAC
Later this Fall, Securly's current SSL Certificate will expire. We have provisioned a brand new SSL Certificate available below which expires in 2034. While to get up and running today you only need to have the original SSL Certificate Installed, we recommend that you install both SSL Certificates at the same time to ensure when the original expires, you are at no loss of service.