I work at a company which makes extensive use of client certificates. For reasons I will not bother going into, there are two types: one is issued by something to do with Active Directory, and one by another system. This latter one is useful to developers and so since the year dot we’ve imported them into Firefox manually. Since Firefox 90, the former certificate that exists in macOS’s system keystore ended up being presented to every service, with no way to instruct it to use the latter.
To turn this new feature off and avoid dealing with the problem for some time until they remove the separate store entirely, you can set security.osclientcerts.autoload to false in about:config. I do realise this is the https://xkcd.com/1172/ option.
This is AWESOME! I remember many many years ago wanting to do client side certs, but the UI’s in browsers were totally miserable that there was zero chance I could ever get a user to use it. Is there an ignorant person’s guide on how to do this these days?
Ideally with and without something like a Yubikey/PIV. Cause I really want to try this out now and see if I can make it usable for us.
This doesn’t really change the UX at all; it just means another storage option is supported.
You probably only want to use client certs in an environment where you have some provisioning system running out of band, and so it’s helpful for Firefox to support the same storage as the OS native browsers (and chrome)
OH. :( So the UX is still miserable to the point of useless? That totally sucks.
ETA: we do provision our users machines, so that’s not an issue for us. I deliver SSH certs for instance, because the SSH cert UX is not miserable(though windows didn’t support SSH certs last I checked, making it harder to use… in fact I should check again, now that MS is blessing OpenSSH directly these days…) For windows clients we are using vault’s SSH OTP instead.
I work at a company which makes extensive use of client certificates. For reasons I will not bother going into, there are two types: one is issued by something to do with Active Directory, and one by another system. This latter one is useful to developers and so since the year dot we’ve imported them into Firefox manually. Since Firefox 90, the former certificate that exists in macOS’s system keystore ended up being presented to every service, with no way to instruct it to use the latter.
To turn this new feature off and avoid dealing with the problem for some time until they remove the separate store entirely, you can set security.osclientcerts.autoload to false in about:config. I do realise this is the https://xkcd.com/1172/ option.
This is AWESOME! I remember many many years ago wanting to do client side certs, but the UI’s in browsers were totally miserable that there was zero chance I could ever get a user to use it. Is there an ignorant person’s guide on how to do this these days?
Ideally with and without something like a Yubikey/PIV. Cause I really want to try this out now and see if I can make it usable for us.
This doesn’t really change the UX at all; it just means another storage option is supported.
You probably only want to use client certs in an environment where you have some provisioning system running out of band, and so it’s helpful for Firefox to support the same storage as the OS native browsers (and chrome)
OH. :( So the UX is still miserable to the point of useless? That totally sucks.
ETA: we do provision our users machines, so that’s not an issue for us. I deliver SSH certs for instance, because the SSH cert UX is not miserable(though windows didn’t support SSH certs last I checked, making it harder to use… in fact I should check again, now that MS is blessing OpenSSH directly these days…) For windows clients we are using vault’s SSH OTP instead.
Well the selection UI for picking a cert is the same. But the setup cost is better user experience imho.
P.S.: Hi, Matt. I think we were in the same intern cohort Winter 2011/2012?
Now.. how about on Android?
Excellent news! This will raise the bar for security quite a bit.