I recent research about certificate in windows.
I try two different way to install certificate:
1. Use certutil command to install. ex: certutil -addstore -f "ROOT" rootCA.pem
2. Use Microsoft api to install.
certStore = CertOpenSystemStore(NULL, "ROOT")
CertAddEncodedCertificateToStore(
certStore,
X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
rootCACert,
len(rootCACert),
CERT_STORE_ADD_REPLACE_EXISTING,
NULL
)
After installed, I use certmgr.msc to check it success.
And firefox's security.enterprise_roots.enabled set True.
But I found a strange situation.
Firefox only trust certificate which certutil install.
Can somebody tell me why?
Thanks in advance!
According to the Mozilla Wiki there are differences in Versions:
As of version 49, ... Firefox will inspect the HKLM\SOFTWARE\Microsoft\SystemCertificates registry location (corresponding to the API flag CERT_SYSTEM_STORE_LOCAL_MACHINE)
and
As of version 52, Firefox will also search the registry locations HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates and HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates (corresponding to the API flags CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY and CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE, respectively).
So it would be nice to know what version you use.
To answer your question: As the flags of the stores searched are named in the wiki it seems you are using the wrong store in your API solution. Have a look at the function CertOpenStore instead of CertOpenSystemStore. This allows to pass e.g. CERT_SYSTEM_STORE_LOCAL_MACHINE as dwFlags to open the store Mozilla searches.