How to manage Securly SSL certificate for Firefox?

Follow

Issue: You need to install the Securly SSL certificate via some form of centralized management since Firefox does not use the centralized certificate store for OSX/Windows.

Solution: You can manually install the file with this KB Securly SSL certificate manual install and verification in Firefox or use the below steps to setup a management of the Securly certificate. 

 Add Root Certificates to Firefox

https://wiki.mozilla.org/CA:AddRootToFirefox

Experimental Built-in Windows Support

As of version 49, Firefox can be experimentally configured to automatically search for and import CAs that have been added to the Windows certificate store by a user or administrator. To do so, set the preference "security.enterprise_roots.enabled" to true. In this mode, Firefox will inspect the HKLM\SOFTWARE\Microsoft\SystemCertificates registry location (corresponding to the API flag CERT_SYSTEM_STORE_LOCAL_MACHINE) for CAs that are trusted to issue certificates for TLS web server authentication. Any such CAs will be imported and trusted by Firefox, although note that they may not appear in the Firefox's certificate manager. It is expected that administration of these CAs (e.g. trust configuration) will occur via built-in Windows tools or other 3rd party utilities. Note also that for such changes to take effect in Firefox either the preference will have to be toggled off and on again or Firefox will have to be restarted. As this feature evolves, this may be handled automatically for ease of use.

As of version 52, Firefox will also search the registry locations HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates and HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates (corresponding to the API flags CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY and CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE, respectively).

CCK2

The easiest way to get your CAs into Firefox is to use CCK2. CCK2 allows certificate authorities and server certificates to be installed into the browser. It supports PEM, DER and text. It also allows you to designate certificate overrides (sites where certificate errors are ignored). Just go to the certificate page and point to either a URL or a local file where the certificate is contained.

AutoConfig via JavaScript

If you're using AutoConfig without CCK2, you can still use the API that the CCK2 uses to install certificate authorities. Here's what it looks like to install the cacert.org root certificate:

var certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB);
var certdb2 = certdb;
try {
certdb2 = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB2);
} catch (e) {}
cert = "MIIHPT...zTMVD"; // This should be the certificate content with no line breaks at all.
certdb2.addCertFromBase64(cert, "C,C,C", "");

The three Cs mean to trust the certificate for servers, email, and objects. The third parameter is the name, but it is ignored. If you want to install binary certificates, things get more complicated. In that case, I'd definitely recommend the CCK2.

PolicyPak

PolicyPak supports adding certificate authorities to Firefox via Group Policy.

Preload the certificate databases

Some people create a new profile in Firefox, install the certificates they need, and then distribute the various db files (cert8.db, key3.db and secmod.db) into new profiles using this method. This is not the recommended approach, and this method only works for new profiles.

certutil

If you're a real diehard, you can use certutil to update the Firefox certificate databases from the command line.

Have more questions? Submit a request

Comments