Tested on MacOS 11.6.4
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain $FILENAME.crt
bash firefox_enable_enterprise_roots_macos.sh
Last active
June 6, 2023 16:39
-
-
Save jakub-g/d6a94453fffdaa66b32dd72dc6233ef6 to your computer and use it in GitHub Desktop.
Make Firefox on MacOS trust CA certificates from system keychain
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Firefox has a separate CA store. To make it trust the global OS store, it needs either | |
| # `about:config` entry, or enterprise policy (https://github.com/mozilla/policy-templates) | |
| function firefox_enable_enterprise_roots { | |
| # Find all Firefox installations, and enable enterprise policy for each if not yet done | |
| declare -a FIREFOX_FOLDERS=("/Applications/Firefox.app" "/Applications/Firefox Developer Edition.app" "/Applications/Firefox Nightly.app") | |
| for FX_FOLDER in "${FIREFOX_FOLDERS[@]}" | |
| do | |
| if [ -d "$FX_FOLDER" ]; then | |
| POLICIES_FOLDER="$FX_FOLDER/Contents/Resources/distribution" | |
| POLICIES_FILE="$POLICIES_FOLDER/policies.json" | |
| if [ ! -f "$POLICIES_FILE" ]; then | |
| mkdir -p "$POLICIES_FOLDER" | |
| echo "Enabling 'ImportEnterpriseRoots' in $FX_FOLDER..." | |
| cat << EOF > "$POLICIES_FILE" | |
| { | |
| "policies": { | |
| "Certificates": { | |
| "ImportEnterpriseRoots": true | |
| } | |
| } | |
| } | |
| EOF | |
| fi | |
| fi | |
| done | |
| } | |
| firefox_enable_enterprise_roots |
Author
@Janaka-Steph what is the issue exactly, more detailed? Just tested, works for me on Mac 12.6.
There's a Firefox bug though: the policies.json file gets deleted on Firefox update, so you need to re-run the script.
I logged a ticket in bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1792595
Sorry, it seems that my issue is actually different. I suspect my self signed certificate has been rejected because it contains basicConstraints extension CA = true, but should be generated without it.
See: https://stackoverflow.com/questions/59738140/why-is-firefox-not-trusting-my-self-signed-certificate
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Doesn't seem to work on Mac 12.6