How to get the Digicert Root CAs loaded so FireFox trusts it out the box?

I’m running appliance mode which launches FireFox to our internal Netscaler page. Since we updated the certificate, it’s throwing your standard FF error we’d find on a self-signed. We use a public signer (Digicert) so it’s shocking it’s not part of the default installation but that’s ok. I grabbed the Root CA and Intermediate and used UMS to install those files as “SSL Certificate” and applied it to the group, but FF is still throwing a certificate error. Any thoughts on how to get the Digicert root CAs loaded so FF trusts it out the box?

Learn more, read the entire thread inside the IGEL Community o Slack

Here you go:

And just in case, I would recommend to use the Classification „Common purpose“ in the upload dialog sent by @member

That will put the certificate in all Certificate stores.

Thanks Guys, and good to see you again Sebastein 🙂. The issue is UMS doesn’t appear to allow me to put certificates in FireFox. I did find that article which was helpful but now the question is how do I do that to 100 endpoints at once

For 100 endpoints, deploying your browser certs with UMS is really the best option. FYI: there’s a recent bugfix (came in with 11.04.245) with webrowser certs which were provided in DER-Format: these could not be included in the browsers’ cert store.

Thanks mate 👍Well, as soon as you uploaded the Certificate (assuming it is BASE64 coded) in that dialog inside of your UMS, you can then assign it like a profile to 1, 100 or …n devices. Hope that covers your question.

I did that, but it’s still not working for some reason. I uploaded the Root and Intermediate in UMS, assigned it to the device folder and rebooted the endpoints. Doing that though it’s still failing. FF in Windows used to have its own cert store and it only recently started reading the OS one. Perhaps Linux still does not read OS installed certs

May I ask you to check, if you edit the Cert itself with a Notepad, does it starts with

Begin Certificate



They both start with “BEGIN CERTIFICATE” .. very similar to a CSR. I confirmed the proper root and intermediate are the ones needed to complete this certificate trust chain

Weird, Could you retry to reset the device to factory defaults and retry? Just to avoid some zombie pieces in the Cert DBs?

Sadly the factory reset didn’t work either. I think it’s getting to the device fine but FF isn’t seeing it for one way or another

Wait, it worked! I was sending it as “SSL Certificate” to UMS and not “Web Certificate”. Doing what I was supposed to do and it worked great, go figure

Great!! For future certificate deployments, I would rather use the classification Common Certificate as mentioned above, this covers all SSL stores👍

Continue reading and comment on the thread ‘How to get the Digicert Root CAs loaded so FireFox trusts it out the box?’.  Not a member? Join Here!

Learn more, search the IGEL Knowledge Base

Ask a question or comment on the above message thread?

Join or log in to the IGEL Community to ask us anything and meet other IGEL customers, partners, and EUC enthusiasts.

Submit a question, or Join Today!

Popular Message Threads

Categories & Tags: