Windows – How to make Firefox trust system CA certificates

Since Firefox 49 there is some support for Windows CA certificates and support for Active Directory provided enterprise root certificates since Firefox 52. It is also supported in macOS to read from the Keychain since version 63.

Since Firefox 68 this feature is enabled by default in the ESR (enterprise) version, but not in the (standard) rapid release.

You can enable this feature for Windows and macOS in about:config by creating this boolean value:

security.enterprise_roots.enabled

and set it to true.

For GNU/Linux, this is usually managed by p11-kit-trust and no flag is needed.

Deploying the configuration system wide

Since Firefox 64, there is a new and recommended way by using policies, documented at https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox

For legacy versions, the Firefox installation folder can be retrieved from Windows registry, then go to defaults\pref\ subdirectory and create a new file with the following:

/* Allows Firefox reading Windows certificates */    
pref("security.enterprise_roots.enabled", true);

Save it with .js extension, e.g. trustwincerts.js and restart Firefox. The entry will appear in about:config for all users.

Deploying Windows Certificates system wide

In Firefox from 49 until 51, it only supports the "Root" store. Since Firefox 52, it supports other stores, including those added from domain via AD.

This is a bit out of scope but explains which was the only certificate store supported by Firefox for versions 49 to 51 or just for local testing. Because this deploys for all local machine users, it requires Administrator privileges in your CMD/PowerShell window or in your own automated deployment script.:

certutil -addstore Root path\to\cafile.pem

This may also be done from the Management Console by clicking a lot of windows if you prefer the mouse way (How to: View Certificates with the MMC Snap-In).