So, I went down the route of setting up an enterprise CA in my domain so we can enable SSL on our internal web apps. For my test base, I am using XAMPP on Windows with a .local FQDN. I am using Microsoft Active Directory Certificate Services for the CA.
After (many) trials and tribulations, I have got a mostly-working example. So, the web app works on IE, Edge and Chrome, however it does not work on Firefox.
The Firefox error(s) are:
Warning: Potential Security Risk Ahead Error code:
SEC_ERROR_UNKNOWN_ISSUER
Could not verify this certificate because the issuer is unknown
I have tested this on several workstations with the same results. Firefox is the latest version.
I get no errors when I load the cert in openssl:
openssl x509 -in "C:\xampp\apache\conf\ssl.crt\certname.crt"
I get the two below errors when I run:
openssl s_client -connect server.local:443
verify error:num=20:unable to get local issuer certificate
verify error:num=21:unable to verify the first certificate
I have the option of downloading a 'Certificate chain' from my CA but this comes in a .p7b format. Contents of this are a single certificate.
When I convert the file to a .crt or even use the .p7b in httpd-xampp.conf, Apache won't start up afterwards. It starts fine without the below entry.
SSLCertificateChainFile "conf/ssl.crt/chain-cert.crt"
Any ideas?
Best Answer
According to Mozilla's documentation, as of FF64 the recommended way to install certificates is through an Enterprise Policy. Due to a (currently) open bug you need to manually install all intermediate certs as well as the root.
You can download Firefox GPO templates from here: https://github.com/mozilla/policy-templates/tree/master/windows
You can individually test by setting "security.enterprise_roots.enabled" preference to true in about:config.
More detailed information can be found here: https://wiki.mozilla.org/CA/AddRootToFirefox