comparison inquiry: osclientcert.autoload and importenterpriseroots
Hoang (US), Victor T
Hello everyone,
What is the difference between using security.osclientcerts.autoload and security.enterprise_roots.enabled?
According to the Github documentation, here’s what I see:
security.osclientcerts.autoload: If true, client certificates are loaded from the operating system certificate store.
security.enterprise_roots.enabled: Trust certificates that have been added to the operating system certificate store by a user or administrator.
Both seem similar to me, as I use them for the same purpose (accessing certificates in my environment).
I’ve always used osclientcerts, and it allows me to see the certificates in the Firefox browser. But when other people add additional certs into the operating system, the browser doesn’t seem to pick it up (unless done so directly into firefox). When using security.enterprise_roots.enabled, I find that it will pick up the certs that other people store in the OS and other places, however none of it shows up in the Firefox certificate browser store if you search for it when going into about:preferences#privacy à View Certificates from Firefox. I kind of assume that all the certificates add from the OS and information security teams are enough to function in our environment.
Is there a benefit to using one over the other? Can (or should) they both be used simultaneously?
Thanks all,
Victor Hoang
Mike Kaply
--
You received this message because you are subscribed to the Google Groups "enter...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to enterprise+...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/enterprise/6c497341546c4292a5c157949cd9e806%40boeing.com.
Dana Keeler
use third party TLS server authentication trust anchors ("root
certificates") that have been added to your OS. Due to how it was
implemented, these generally won't show up in the Firefox certificate
manager, but they'll work just the same.
security.osclientcerts.autoload enables Firefox to use TLS client
authentication certificates and keys that are managed by your OS. These
generally should show up in the certificate manager.
These are two different features, so they can be used at the same time,
each for their intended purposes (enterprise roots allows Firefox to
verify web server certificates, while osclientcerts allows Firefox to do
client certificate authentication).
Dana
On 9/8/21 06:55, Mike Kaply wrote:
> My understanding is that security.enterprise_roots.enabled is about
> things like certificate authorities that are stored in the operating
> system. security.osclientcerts.autoload was added later and is for
> things like smart cards.
>
> They definitely can both be used together and do different things.
>
> Mike
>
>
>
> On Tue, Sep 7, 2021 at 5:41 PM Hoang (US), Victor T
>
> Hello everyone,____
>
> __ __
> What is the difference between using security.osclientcerts.autoload
>
> __ __
>
> According to the Github documentation, here’s what I see:____
>
> __ __
> security.osclientcerts.autoload: If true, client certificates are
> security.enterprise_roots.enabled: Trust certificates that have been
> added to the operating system certificate store by a user or
>
> __ __
> Both seem similar to me, as I use them for the same purpose
>
> __ __
> I’ve always used osclientcerts, and it allows me to see the
> certificates in the Firefox browser. But when other people add
> additional certs into the operating system, the browser doesn’t seem
> to pick it up (unless done so directly into firefox). When using
> security.enterprise_roots.enabled, I find that it will pick up the
> certs that other people store in the OS and other places, however
> none of it shows up in the Firefox certificate browser store if you
> search for it when going into about:preferences#privacy à View
> Certificates from Firefox. I kind of assume that all the
> certificates add from the OS and information security teams are
>
> __ __
> Is there a benefit to using one over the other? Can (or should) they
>
> __ __
>
> Thanks all,____
>
> __ __
>
> Victor Hoang____
>
> __ __
> --
> You received this message because you are subscribed to the Google
> send an email to enterprise+...@mozilla.org
> https://groups.google.com/a/mozilla.org/d/msgid/enterprise/6c497341546c4292a5c157949cd9e806%40boeing.com
> --
> You received this message because you are subscribed to the Google
> Groups "enter...@mozilla.org" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to enterprise+...@mozilla.org
> <https://groups.google.com/a/mozilla.org/d/msgid/enterprise/CAHueOzBCmqLV_4Yw5b_FiXWwdUbY7XJh%2BEHCnbkrHBnyV_J9aw%40mail.gmail.com?utm_medium=email&utm_source=footer>.