Firefox manual cert install no longer works

[pimterry]

I don't have a solution to this, but just FYI, Firefox 76 was released two days ago and removes the certificate install prompt you depend on in openCertificateInFirefox. The FF bug is here: https://bugzilla.mozilla.org/show_bug.cgi?id=1024871.

Responses with Content-type: application/x-x509-ca-cert now just prompt for download, and don't offer to install the cert at all.

I'm trying to solve this independently for a separate project - if you come up with a nice alternative, I'd love to hear about it!

[Js-Brecht]

libnss is open source. It would be cool to have bindings for certutil; then that dialog wouldn’t be needed. I’ve been meaning to write some, but it’s been on the back burner for a while. It’s just not a very high priority.

Downsides to that would be added distribution size, and potentially install issues in some cases, so more support needed.

[lewisl9029]

I encountered the same issue and found this wiki page describing the security.enterprise_roots.enabled option in about:config:

The ImportEnterpriseRoots key will cause Firefox to trust root certificates that are in the system certificate store as long as the key is set to “true”. We recommend this option to add trust for a private PKI to Firefox. It is equivalent to setting the "security.enterprise_roots.enabled" preference as described in the next section.

From my limited testing so far, it looks like toggling this to true will basically get Firefox to behave the same way as Chrome and read from the system's certificate store, which means we no longer need to treat firefox like a special snowflake.

Perhaps we can update the library to provide instructions on how to toggle this about:config key? Or even better, maybe we can programmatically set it for them somehow? I haven't looked too deep into it yet but there might be some clues in the docs: https://developer.mozilla.org/en-US/docs/Mozilla/Preferences/A_brief_guide_to_Mozilla_preferences#Modifying_preferences