Deploy the Default CA on Firefox Using Group Policy Objects (GPOs) Parent topic

By default, Active Directory GPO deployment of certificates does not work for Firefox users, because Firefox uses its own certificate stores. Starting with Firefox version 49, a new option allows Firefox to trust root authorities in the Windows Certificate Store. However, the option is disabled by default. You must enable it before Firefox can trust root authorities in the Windows Certificate Store.

Procedure

  1. Create files that will mandate that Firefox use the Windows Certificate Store so that Deep Discovery Web Inspector certificates can be deployed for Firefox using GPOs.
    1. Create a configuration file ddwi.cfg.
      The ddwi.cfg' file must be placed in the root of the Firefox directory.
      C:\Program Files\Mozilla Firefox\ddwi.cfg
    2. Add the following to the ddwi.cfg file.
         //
lockPref("security.enterprise_roots.enabled", true);
      Note
      Note
      Note: The files must be ANSI encoded. Don’t miss the // at the first line.
    3. Place
    4. Create the file local-settings.js.
      The local-settings.js file must be placed in the \defaults\pref sub-directory.
      C:\Program Files\Mozilla Firefox\defaults\pref\local-settings.js
    5. Add the following to the local-settings.js file.
      pref("general.config.obscure_value", 0);
 pref("general.config.filename", "ddwi.cfg");
  2. Distribute the Firefox preference files using a Group Policy Object.
    Note
    Note
    This process requires that Firefox be installed to the default location on the client computers.
    1. Add the files ddwi.cfg and local-settings.js to a network share. Ensure that the share has read permissions for 'Domain Computers'.
    2. Create/Edit a group policy using the Active Directory Group Policy Management console.
    3. Edit the settings in Computer ConfigurationPreferencesWindows SettingsFiles.
    4. Right-click and select New File.
    5. For Source File, select ddwi.cfg on the Network Share.
    6. Point the Destination file to be C:\Program Files\Mozilla Firefox\ddwi.cfg and then click Apply.
    7. Repeat the above step to copy the same file to C:\Program Files (x86)\Mozilla Firefox\ddwi.cfg.
    8. Repeat these steps to copy 'local-settings.js' to C:\Program Files\Mozilla Firefox\defaults\pref\local-settings.js.
    9. Repeat these steps to copy local-settings.js to C:\Program Files (x86)\Mozilla Firefox\defaults\pref\local-settings.js.
  3. Force Firefox to use the Windows Certificate Store by manually enabling the feature on the Firefox clients.
    1. In Firefox, type about:config in the address bar.
    2. If prompted, accept any warnings.
    3. Search security.enterprise_roots.enabled and set the value to true.