Yesterday, David Keeler a Mozilla Engineer announced that Mozilla will be changing the way Firefox on Windows handles root certificates.
Only a few of the browser’s users know about the browser’s certificate store, the place where the browser stores the digital certificates that are used in the process of establishing encrypted and secure communications.
In Windows, the Firefox keeps its own certificate store, that is different from the Windows certificate store, which the Microsoft uses for its Internet Explorer and Edge( also for applications installed on the PC).
Since Firefox uses only its own certificate store on the Windows, it does not draw information from Windows certificate database. This lead to situations where in some enterprise environments, the Firefox users are not able to connect to some websites, while other browsers are.
This usually occurs with managed enterprise networks, where the system administrators install root certificates on their Windows PCs in order to access the private networks and applications.
When a user tries to access a website which uses the private root certificate, he won’t be able to authenticate and gain the access because they will not trust or trust the certificate, thus blocking the user.
All of this is now going to change, as Keeler says that starting with the latest Firefox 49, the browser will check the Windows certificate store that is underlying for root certificates in case it encounters unknown certificate authorities (CAs).
The Firefox won’t automatically trust all the root certificates that it finds in the Windows certificate store, but it will allow the certificate authorities authorized to issue TLS web server certificates.
To use this all new feature, users have to type “access:config” in their search (address) bar to access a special Firefox settings page. Here they have to search for “security.enterprise_roots.enabled” and double-click it to activate it.