14 DAY TRIAL // Mozilla would be changing the way Firefox on Windows handles root certificates, David Keeler, Mozilla Engineer, announced yesterday.
Few Firefox users know about the browser's certificate store, a place where the browser stores digital certificates used in the process of establishing encrypted communications.
On Windows, Firefox keeps its own certificate store, which is different from the Windows certificate store that Microsoft uses for Internet Explorer, Edge, but also for applications installed on the PC.
Connectivity problems exist for Firefox users in enterprise networks
The fact that, on Windows, Firefox uses only its own certificate store and does not draw information from the Windows certificate database leads to situations where, in some enterprise environments, Firefox users won't be able to connect to websites while other browser users will.
This usually occurs in managed enterprise networks, where system administrators install root certificates on Windows PCs in order to access private networks and applications.
A Firefox user trying to access a website that uses that private root certificate won't be able to authenticate and gain access because Firefox will not know or trust the certificate, effectively blocking the user.
New root certificate handling policy coming in Firefox 49
All of this is going to change, and Keeler says that, starting with Firefox 49, the browser will check the underlying Windows certificate store for root certificates in case it encounters unknown certificate authorities (CAs).
Firefox won't automatically trust all root certificates it finds in the Windows certificate store, but only from certificate authorities authorized to issue TLS web server certificates.
To use this new feature, users need to type "about:config" in their address bar to access a special Firefox settings page. Here they have to search for "security.enterprise_roots.enabled" and double-click it to activate it.
Keeler says that users won't be able to manage all certificates from the Firefox certificate store. In case they want to remove one of the certificates and avoid trusting HTTPS connections to bad sites, they'll have to search the Windows certificate store in case they don't find the rogue certificate in Firefox's settings. He adds this may change, and Firefox may automatically import the Windows root certificates in a future version.
Mozilla is set to release Firefox 49 on September 13. Below is a screenshot of Firefox's certificate store on Windows.
