The template "Enterprise" does not exist or has no approved revision.
If your organization uses private certificate authorities (CAs) to issue certificates for your internal servers, browsers such as Firefox might display errors unless you configure them to recognize these private certificates. This should be done early on, so your users won’t have trouble accessing websites.
You can add these CA certificates using one of the following methods.
Using policies to import CA certificates (recommended)
- Setting the ImportEnterpriseRoots key to true will cause Firefox to trust root certificates. We recommend this option to add trust for a private PKI to Firefox. It is equivalent to setting the security.enterprise_roots.enabled preference as described in the Built-in Windows and macOS Support section below.
- The Install key by default will search for certificates in the locations listed below. Starting in Firefox 65, you can specify a fully qualified path (see cert3.der and cert4.pem in this example). If Firefox does not find something at your fully qualified path, it will search the default directories:
- /Library/Application Support/Mozilla/Certificates
- ~/Library/Application Support/Mozilla/Certificates
Using built-in Windows and macOS support
Setting the security.enterprise_roots.enabled preference to true in the about:config page will enable the Windows and macOS enterprise root support.
Windows Enterprise Support
Starting with version 49, Firefox can be configured to automatically search for and import CAs that have been added to the Windows certificate store by a user or administrator.
- Type about:config in the address bar and press EnterReturn.
A warning page may appear. Click to go to the about:config page.
- Search for the security.enterprise_roots.enabled preference.
- Click the Toggle button next to this preference to change its value to true.
- Restart Firefox.
Firefox will inspect the HKLM\SOFTWARE\Microsoft\SystemCertificates registry location (corresponding to the API flag CERT_SYSTEM_STORE_LOCAL_MACHINE) for CAs that are trusted to issue certificates for TLS web server authentication. Any such CAs will be imported and trusted by Firefox, although they may not appear in Firefox's certificate manager. Administration of these CAs should occur using built-in Windows tools or other third party utilities.
Firefox version 52: Firefox will also search the registry locations HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates and HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates (corresponding to the API flags CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY and CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE, respectively).
macOS Enterprise Support
Starting with Firefox 63, this feature also works for macOS by importing roots found in the macOS system keychain.
Using p11-kit-trust.so on Linux
Certificates can be programmatically imported by using p11-kit-trust.so from p11-kit (note that some distributions, such as Red Hat-based ones, already do this by default by shipping p11-kit-trust.so as libnsscbki.so).
This can be done by setting the SecurityDevices policy in /etc/firefox/policies/policies.json' and adding an entry pointing to p11-kit-trust.sos location in the system, by manually adding it via the “Security Devices” manager in Preferences, or by using the modutil utility.
Preload the Certificate Databases (new profiles only)
Some people create a new profile in Firefox, manually install the certificates they need, and then distribute the various db files (cert9.db, key4.db and secmod.db) into new profiles using this method. This is not the recommended approach, and this method only works for new profiles.
You can use certutil to update the Firefox certificate databases from the command line. Check the Microsoft support site for more information.