How to get the Digicert Root CAs loaded so FireFox trusts it out the box?


I’m running appliance mode which launches FireFox to our internal Netscaler page. Since we updated the certificate, it’s throwing your standard FF error we’d find on a self-signed. We use a public signer (Digicert) so it’s shocking it’s not part of the default installation but that’s ok. I grabbed the Root CA and Intermediate and used UMS to install those files as “SSL Certificate” and applied it to the group, but FF is still throwing a certificate error. Any thoughts on how to get the Digicert root CAs loaded so FF trusts it out the box?


Here you go:

kb.igel.com/igelos-11.04/en/installing-web-browser-certificates-32869944.html


And just in case, I would recommend to use the Classification „Common purpose“ in the upload dialog sent by @member

That will put the certificate in all Certificate stores.


Thanks Guys, and good to see you again Sebastein 🙂. The issue is UMS doesn’t appear to allow me to put certificates in FireFox. I did find that article which was helpful but now the question is how do I do that to 100 endpoints at once


For 100 endpoints, deploying your browser certs with UMS is really the best option. FYI: there’s a recent bugfix (came in with 11.04.245) with webrowser certs which were provided in DER-Format: these could not be included in the browsers’ cert store.


Thanks mate 👍Well, as soon as you uploaded the Certificate (assuming it is BASE64 coded) in that dialog inside of your UMS, you can then assign it like a profile to 1, 100 or …n devices. Hope that covers your question.


I did that, but it’s still not working for some reason. I uploaded the Root and Intermediate in UMS, assigned it to the device folder and rebooted the endpoints. Doing that though it’s still failing. FF in Windows used to have its own cert store and it only recently started reading the OS one. Perhaps Linux still does not read OS installed certs


May I ask you to check, if you edit the Cert itself with a Notepad, does it starts with

Begin Certificate

or

hieroglyphs?


They both start with “BEGIN CERTIFICATE” .. very similar to a CSR. I confirmed the proper root and intermediate are the ones needed to complete this certificate trust chain


Weird, Could you retry to reset the device to factory defaults and retry? Just to avoid some zombie pieces in the Cert DBs?


Sadly the factory reset didn’t work either. I think it’s getting to the device fine but FF isn’t seeing it for one way or another

Wait, it worked! I was sending it as “SSL Certificate” to UMS and not “Web Certificate”. Doing what I was supposed to do and it worked great, go figure


Great!! For future certificate deployments, I would rather use the classification Common Certificate as mentioned above, this covers all SSL stores👍

Continue reading and comment on the thread ‘How to get the Digicert Root CAs loaded so FireFox trusts it out the box?’.  Not a member? Join Here!

Learn more, search the IGEL Knowledge Base



Ask a question or comment on the above messasge thread?

Join or log in to the IGEL Community to ask us anything and meet other IGEL customers, partners, and EUC enthusiasts.

Submit a question, or Join Today!


Popular Message Threads


Categories & Tags: