Certificate override on Windows computer

This discussion was created from comments split from: Certificate Override for corporate network.
  • I was struggling with this issue and solved it after seeing the instruction to "copy the cert9.db, key4.db, and pkcs11.txt files from the Firefox profile directory to the Zotero profile directory."
    However, Zotero knowledge base only suggests this for MacOS and Linux, and not for Windows. Since I'm using a Windows machine, I was totally ignoring this instruction and wasted a lot of time looking for other solutions.
  • edited February 7, 2023
    The page notes that "in most cases" it will work on Windows, since it's able to use the system root certificate store. That should really only not work if 1) you accidentally disabled security.enterprise_roots.enabled in the Config Editor in the Advanced pane of the Zotero preferences or 2) your organization only uses Firefox and only configured the custom CA within Firefox itself, but that would be odd, because then various other things on the system presumably wouldn't work either. I wouldn't even expect this to be configured properly in Firefox unless it was set up years ago before Firefox started using the system root certificate store.

    (Note that the thread you posted to was all about Macs for this same reason.)
  • I'm having this issue on a corporate Windows 10 machine too. The root certificate for our IT-mandated-MITM has been installed. I've checked that advanced system setting listed above too.

    I've not tried the FF fix as we don't have/allow FF on corporate machines.

    It's preventing the 'magic add' from working. It's definitely the https inspector causing the problem, as our IT department bypassed a particular domain and queries to that started resolving correctly. However, it's not practical (or sensible) to manually bypass half the internet.
  • @robertgallen: Not sure what to tell you. Zotero is based on Firefox, and with security.enterprise_roots.enabled enabled, as it is by default, Zotero 6 on Windows should use the system certificate store, the same as Firefox. The Firefox feature is described in this blog post (and since that post was written the feature was extended to also include certificates added via AD, not just those in the root store).

    Best I can suggest would be to try in Zotero 7, the first beta of which will be out soon. Zotero 7 is based on a much newer version of Firefox, so it might support additional enterprise certificate configurations. (And, as noted above, it will also add support for this feature on macOS.)
  • Thanks for the blog post link. It mentions the Windows Trust Database. Just to be clear, where does the certificate need to be to be picked up? I can find it in certmgr
    Certificates - Current user[or Local Computer] > Trusted Root Certification Authorities > Certificates (which seems like the right place).
  • No idea, sorry.
Sign In or Register to comment.