Firefox Certificate Import Reminder

in CAC 6 min read

Why Firefox Needs Separate Certificate Import

Unlike Chrome, Edge, and Safari, which use your operating system’s certificate store, Firefox maintains its own independent certificate database. This architectural decision means that even if you’ve installed DoD certificates at the system level, Firefox won’t recognize them until you manually import them into the browser’s certificate manager. This is one of the most common reasons Firefox users encounter “connection not secure” errors when accessing DoD websites.

Programming Code Screen

DoD Certificate Download Locations

Before importing certificates into Firefox, you need to download the current DoD Root CA certificate bundle. The official source for these certificates is:

  • Primary Source: The DoD Cyber Exchange website (public.cyber.mil) hosts the official InstallRoot tool and certificate bundles.
  • Alternative: The DISA PKI/PKE website provides direct certificate downloads for manual installation.
  • Military OneSource: For dependents and family members, certificate downloads may be available through Military OneSource resources.

Always download certificates from official .mil domains. Never trust certificates from unofficial sources, as compromised certificates could expose you to security risks.

Step-by-Step Firefox Certificate Import

Follow these detailed steps to import DoD certificates into Firefox:

Step 1: Access Firefox Certificate Manager

  1. Open Firefox and type about:preferences#privacy in the address bar
  2. Scroll down to the “Certificates” section
  3. Click “View Certificates” to open the Certificate Manager

Step 2: Import Root Certificates

  1. In the Certificate Manager, select the “Authorities” tab
  2. Click the “Import” button
  3. Navigate to your downloaded DoD certificate files (typically .cer or .crt format)
  4. Select the first certificate file and click “Open”
  5. When prompted, check the box for “Trust this CA to identify websites”
  6. Click “OK” to complete the import
  7. Repeat for each certificate in the DoD bundle

Step 3: Import Intermediate Certificates

Some DoD sites require intermediate certificates in addition to root certificates. These are imported the same way through the Authorities tab. The certificate bundle typically includes all necessary intermediate certificates.

Step 4: Configure Security Devices (for CAC)

  1. In Certificate Manager, click “Security Devices”
  2. Click “Load” to add a new PKCS#11 module
  3. Enter a module name (e.g., “CAC Module”)
  4. Browse to your middleware’s PKCS#11 library file:
    • ActivClient: acpkcs211.dll (Windows)
    • OpenSC: opensc-pkcs11.dll (Windows) or opensc-pkcs11.so (Linux/macOS)
  5. Click “OK” to load the module

Verifying Certificate Installation

After importing certificates, verify the installation was successful:

  1. Return to the Certificate Manager (about:preferences#privacy > View Certificates)
  2. Select the “Authorities” tab
  3. Search for “DoD” in the certificate list
  4. You should see entries for DoD Root CA 3, DoD Root CA 4, DoD Root CA 5, and various intermediate CAs
  5. Click on any certificate and select “View” to confirm it’s valid and not expired

Test your configuration by visiting a DoD website that requires CAC authentication. If certificates are properly installed, you should see the certificate selection dialog when accessing secured resources.

Certificate Update Schedule

DoD certificates have expiration dates and are periodically updated. Maintaining current certificates is essential:

  • Check Quarterly: Review your installed certificates every three months for upcoming expirations
  • Update Promptly: When new certificate bundles are released, update Firefox within one week
  • Remove Expired: Delete expired certificates from your store to prevent confusion and potential security issues
  • Subscribe to Alerts: Sign up for notifications from your organization’s IT security team about certificate updates

Common Firefox CAC Errors and Solutions

SEC_ERROR_UNKNOWN_ISSUER

This error indicates missing root or intermediate certificates. Re-download the complete DoD certificate bundle and import all certificates, ensuring you check “Trust this CA to identify websites.”

SSL_ERROR_HANDSHAKE_FAILURE_ALERT

This often indicates a problem with the PKCS#11 module configuration. Verify your CAC middleware is installed and the correct library file is loaded in Firefox’s Security Devices.

PR_END_OF_FILE_ERROR

This error typically occurs when the server requires client certificate authentication but Firefox can’t access your CAC. Ensure your card is inserted and the security device module is properly loaded.

Certificate Selection Dialog Doesn’t Appear

If you’re not prompted to select a certificate, check that your CAC is inserted and recognized by the middleware. Also verify the Security Device module is loaded correctly in Firefox.

Firefox vs Chrome CAC Differences

Understanding the differences between Firefox and Chrome helps troubleshoot issues:

Feature Firefox Chrome/Edge
Certificate Store Own internal database Uses OS certificate store
Certificate Import Manual import required Automatic from system
PKCS#11 Support Built-in module loader Relies on OS middleware
Cross-Platform Consistent on all OS Varies by operating system

While Firefox requires more initial configuration, its independent certificate store can be an advantage in some scenarios, allowing different certificate configurations for different browsing needs without affecting the system store.

Maintaining Your Firefox Certificate Configuration

To ensure ongoing CAC compatibility with Firefox:

  • Update Firefox regularly, but test CAC functionality after major updates
  • Back up your Firefox profile periodically to preserve certificate settings
  • When reinstalling Firefox, remember that certificates must be re-imported
  • Keep notes on which certificates you’ve imported for easier reconfiguration
David Chen

David Chen

Author & Expert

David Chen is a professional woodworker and furniture maker with over 15 years of experience in fine joinery and custom cabinetry. He trained under master craftsmen in traditional Japanese and European woodworking techniques and operates a small workshop in the Pacific Northwest. David holds certifications from the Furniture Society and regularly teaches woodworking classes at local community colleges. His work has been featured in Fine Woodworking Magazine and Popular Woodworking.

29 Articles
View All Posts

You Might Also Like

Subscribe for Updates

Get the latest articles delivered to your inbox.