Firefox doesn't use the Windows certificate store by default, and there is no built-in way to centrally manage Firefox. This article describes you can configure Firefox to trust certificates in the Windows certificate store.
It may be possible to configure Firefox to use the Windows certificate store. Follow Cisco Umbrella's guidance here: Configuring Firefox to use the Windows Certificate Store
We have copied and changed that article a bit to suit Smoothwall purposes below. The following guidance is provided 'as is' and cannot be directly supported by Smoothwall beyond what is outlined below.
Use the Windows certificate store
As of FF49, a new option has been included which allows Firefox to trust Root authorities in the windows certificate store. This means that certificates can be deployed via group policy as normal and Firefox will trust the same Root authorities that Internet Explorer trusts. For more details see here:
https://bugzilla.mozilla.org/show_bug.cgi?id=1265113
Unfortunately, Mozilla have decided not to turn this feature on by default, so this method still requires some other configuration.
To enable this setting the security.enterprise_roots.enabled must be set to true. For more details see here:
https://bugzilla.mozilla.org/show_bug.cgi?id=1314010
To enable this feature on a single computer:
- In Firefox, in the address bar, type about:config.
- If prompted, accept any warnings.
- Right-click to create a new Boolean value, and for the name enter security.enterprise_roots.enabled.
- Set the value to true.
To enable this feature on multiple computers you will need to use another method (see below) to lock the preferences in Firefox. The benefit is that once enabled you can easily manage certificates using group policy in future.
Locking Firefox preferences
You can use a preferences file to configure the security.enterprise_roots.enabled setting. To do so use the attached files:
- A 'smoothwall.cfg' file must be placed in the root of the Firefox directory. For example:
C:\Program Files\Mozilla Firefox\smoothwall.cfg - The 'local-settings.js' file must be placed in the \defaults\pref sub-directory. For example:
C:\Program Files\Mozilla Firefox\defaults\pref\local-settings.js
The contents of local-settings.js should be as follows:
pref("general.config.obscure_value", 0); pref("general.config.filename", "smoothwall.cfg");
The contents of the smoothwall.cfg file should be as follows:
// lockPref("security.enterprise_roots.enabled", true);
Note: If you are creating the above files manually, they must be ANSI encoded.
Distributing Firefox preferences files via Group Policy
Group policy can be used to distribute the above files. Note, this process requires that Firefox is installed to the default location on the client computers.
- Add the files smoothwall.cfg and local-settings.js to a network share. Ensure that the share has read permissions for Domain Computers.
- Create/Edit a group policy in Group Policy Management.
- Edit the settings in Computer Configuration > Preferences > Windows Settings > Files.
- Right-click and select New File.
- Point the Source File to smoothwall.cfg on the Network Share.
- Point the Destination file to be C:\Program Files\Mozilla Firefox\smoothwall.cfg and Apply.
- Repeat the above step to copy the same file to C:\Program Files (x86)\Mozilla Firefox\smoothwall.cfg.
- Repeat these steps to copy 'local-settings.js' to C:\Program Files\Mozilla Firefox\defaults\pref\local-settings.js.
- Repeat these steps to copy 'local-settings.js' to C:\Program Files (x86)\Mozilla Firefox\defaults\pref\local-settings.js.
Distributing Firefox preferences with the Firefox installer
These files can also be copied by script to the correct location during installation, if you are performing a scripted Firefox installation. Details on performing a scripted installation of Firefox are here:
https://wiki.mozilla.org/Installer:Command_Line_Arguments
The full offline installer for Firefox is required for a scripted installation. This is available here:
https://www.mozilla.org/en-US/firefox/all/
(Optional) Distributing Firefox settings with CCK2
CCK2 is another popular method to create locked Firefox configurations. CCK2 is a Firefox add-on with a GUI which allows you to set many different Firefox preferences:
https://mike.kaply.com/cck2/
CCK2 will produce AutoConfig settings which can be extracted into the Firefox installation directory.
Optionally, CCK2 can also export these settings as a Firefox extension that can be distributed to users.