Configure Firefox to Use the Windows Certificate Store for Umbrella

Available Languages

Download Options

  • PDF     (22.2 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (83.1 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (69.3 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:August 28, 2025
Document ID:224707

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to configure Firefox to deploy the Umbrella Root CA.

    Overview

    Deploying the Cisco Umbrella Root CA can be difficult for Firefox users, because there is no built-in way to centrally manage Firefox. This article describes how Firefox can be configured to trust certificates in the Windows certificate store. This makes certificate management via group policy much easier in the long run.

    This guidance is provided 'as is' and cannot be directly supported by Umbrella beyond what is outlined below.

    Use the Windows certificate store

    As of FF49, a new option has been included which allows Firefox to trust Root authorities in the Windows certificate store.  This means that certificates can be deployed via group policy as normal and Firefox trusts the same Root authorities that Internet Explorer trusts.  For more details see here:
    https://bugzilla.mozilla.org/show_bug.cgi?id=1265113

    Unfortunately, Mozilla have decided not to turn this feature on by default, so this method still requires some other configuration. To enable this setting the security.enterprise_roots.enabled must be set to true.  For more details see here:
    https://bugzilla.mozilla.org/show_bug.cgi?id=1314010

    To enable this feature on a single computer:

    • In Firefox, type about:config in the address bar
    • If prompted, accept any warnings
    • Right-click to create a new boolean value, and enter security.enterprise_roots.enabled as the Name
    • Set the value to true

    To enable this feature on multiple computers you need to use another method to lock the preferences in Firefox. The benefit is that once enabled you can easily manage certificates using group policy in future.

    Locking Firefox preferences

    You can use a preferences file to configure the security.enterprise_roots.enabled setting. To do so use the attached files:

    • The umbrella.cfg file must be placed in the root of the Firefox directory. For example:
      C:\Program Files\Mozilla Firefox\umbrella.cfg
    • The local-settings.js file must be placed in the \defaults\pref sub-directory. For example:
      C:\Program Files\Mozilla Firefox\defaults\pref\local-settings.js

    The contents of local-settings.js must be as follows:

     pref("general.config.obscure_value", 0);  pref("general.config.filename", "umbrella.cfg");

    The contents of the umbrella.cfg file must be as follows:

     // lockPref("security.enterprise_roots.enabled", true);
    note-icon

    Note: If creating the files manually, they must be ANSI encoded.

    Distributing Firefox preferences files via Group Policy

    Group policy can be used to distribute the files.

    note-icon

    Note: This process requires that Firefox is installed to the default location on the client computers.

    1. Add the files umbrella.cfg and local-settings.js to a network share. Ensure that the share has read permissions for 'Domain Computers'
    2. Create/Edit a group policy in Group Policy Management
    3. Edit the settings in Computer Configuration > Preferences > Windows Settings > Files
    4. Right-click and select New File
    5. Point the Source File to umbrella.cfg on the Network Share
    6. Point the 'Destination' file to be C:\Program Files\Mozilla Firefox\umbrella.cfg and Apply
    7. Repeat these steps to copy the same file to C:\Program Files (x86)\Mozilla Firefox\umbrella.cfg
    8. Repeat these steps to copy local-settings.js to C:\Program Files\Mozilla Firefox\defaults\pref\local-settings.js
    9. Repeat these steps to copy local-settings.js to C:\Program Files (x86)\Mozilla Firefox\defaults\pref\local-settings.js

    Distributing Firefox preferences with the Firefox installer

    These files can also be copied by script to the correct location during installation, if you are performing a scripted Firefox installation. Details on performing a scripted installation of Firefox are here:
    https://wiki.mozilla.org/Installer:Command_Line_Arguments

    The full offline installer for Firefox is required for a scripted installation.  This is available here:
    https://www.firefox.com/en-US/download/all/?redirect_source=mozilla-org

    (Optional) Distributing Firefox settings with CCK2

    CCK2 is another popular method to create locked firefox configurations. CCK2 is a Firefox add-on with a GUI which allows you to set many different Firefox preferences:
    https://mike.kaply.com/cck2/

    CCK2 produces AutoConfig settings which can be extracted into the Firefox installation directory.
    Optionally, CCK2 can also export these settings as a Firefox extension that can be distributed to users.

    Revision History

    Revision Publish Date Comments
    1.0
    28-Aug-2025
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products