Tripredacus Posted February 26 Posted February 26 On one Windows 7 computer I have Firefox 115.0.3 (64-bit) and every now and then when I open it it shows a tab that states the root certificate will expire soon. I believe it stated March 13. It gives the option to upgrading the browser to a new version (or new branch) which looks to be 115.1esr. Is updating the browser the only way to resolve this or is there a way to update the root certificate it uses to stay on the same version?
NotHereToPlayGames Posted February 26 Posted February 26 Track down "which" certificate is expiring. Export that certificate from a newer version of Firefox running in a VM. Import the certificate to the version of Firefox that you want to keep.
Guest Posted February 26 Posted February 26 (edited) There is no reason to upgrade to the latest version of Firefox 115 ESR: https://www.mozilla.org/en-US/firefox/115.20.0/releasenotes/ This version of Firefox 115 ESR will support your operating system until September 2025, with automatic updates to version 115.27 (if there is no other support extension): https://whattrainisitnow.com/release/?version=esr Edited February 26 by Sampei.Nihira
D.Draker Posted February 26 Posted February 26 12 hours ago, NotHereToPlayGames said: Track down "which" certificate is expiring. Export that certificate from a newer version of Firefox running in a VM. Import the certificate to the version of Firefox that you want to keep. Why such over-complications. lol? Wouldn't it be simpler to just move the whole cert folder from the new Firefox version? 3
D.Draker Posted February 26 Posted February 26 And now for those who love to live by the book. https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox 3
D.Draker Posted February 26 Posted February 26 11 hours ago, Sampei.Nihira said: This version of Firefox 115 ESR will support your operating system until September 2025 (if there is no other support extension): https://whattrainisitnow.com/release/?version=esr How is this related to what Tripredacus asked? Certs can expire at any time, on some sites I get expired on a new, fully supported and updated browser. @Tripredacus, On Windows 7 and Vista they also have their own Windows Cert Store, which supposed to be updated automatically, but then again, you probably blocked the auto procedure, just like me. 1
D.Draker Posted February 26 Posted February 26 In older Firefox they were also duplicated in your profile directory. Certificates were stored in cert8.db file. Their corresponding keys were stored in key3.db. Probably the case with the new versions, but I don't use FF. 2
NotHereToPlayGames Posted February 26 Posted February 26 (edited) 32 minutes ago, D.Draker said: just move the whole cert folder I did not know that there is a "cert folder". I provided a solution that I know works as I've had to implement it in the past (on Pale Moon, not on Firefox, but they are identical for the sake of this discussion). Over-complicated? Perhaps, especially if it is indeed as easy as copying a "cert folder". Speaking solely for myself, I would *NOT* want to copy an entire cert database from "new to old", I would only copy (export from new, import to old) ONE CERT at a time, not "all at once". My thinking though is from the XP Days. There are certs that work in Win7+ that do not work in XP. So why import them into XP? Edited February 26 by NotHereToPlayGames
D.Draker Posted February 26 Posted February 26 11 hours ago, NotHereToPlayGames said: My thinking though is from the XP Days. There are certs that work in Win7+ that do not work in XP. So why import them into XP? Tripredacus is on Win7 (most likely the reason this long abandoned OS is still stuck at the current MS products on MSFN board), the question is only about Win7. How XP is relevant? But I'll answer, for Firefox it doesn't matter which system you run since it has its own cert store. This became the case with newer Chrome, too. But Chrome can use the NT6.0+ local system cert, in addition to its own. Not sure how good this would work on XP. And XP usually fails because it simply doesn't support modern encryption. So you could install and over-install, it will still show no green padlock on XP. 4
D.Draker Posted February 26 Posted February 26 12 hours ago, Sampei.Nihira said: There is no reason to upgrade to the latest version of Firefox 115 ESR: https://www.mozilla.org/en-US/firefox/115.20.0/releasenotes/ This time I agree, the engine is too bloody old anyways. Don't waste time. 3
D.Draker Posted February 26 Posted February 26 11 hours ago, NotHereToPlayGames said: Speaking solely for myself, I would *NOT* want to copy an entire cert database from "new to old", I would only copy (export from new, import to old) ONE CERT at a time, not "all at once". One can get tired of exporting one by one very quickly. Let's see, There we have often cases where pics and videos are stored at another website, so even if you export the main (root) website cert, the pics will show empty, the browser will prevent the off-site untrusted (un-certified) connections. Last but not least, many modern AV scanners use your cert store to check the sites and/or your browser's executable. As we see, Tripredacus uses official browsers, perhaps he uses such AV software, too. 3
NotHereToPlayGames Posted February 26 Posted February 26 D.Draker - there is no need to be so... no adjective is going to be typed! I offered a solution that I have used in the past, one that works, one that may POSSIBLY be considered "over-complicated", Trip can use the info or disregard it, no skin off my back either way. 1
NotHereToPlayGames Posted February 26 Posted February 26 4 minutes ago, D.Draker said: One can get tired of exporting one by one very quickly. AGREED! Trip cited that only ONE cert is expiring. That is easy to track down, easy to export from a newer Firefox, easy to import to preferred-older. Moving on... "Toodles"...
AstroSkipper Posted February 28 Posted February 28 (edited) FYI, since Firefox 58, Mozilla has changed the files cert8.db/key3.db to cert9.db/key4.db. Therefore, you won't find a cert8.db or key3.db file in the profile folder of Firefox 115..x.x ESR releases. And the certificates are stored in the cert9.db file. This file is generated by Firefox and stored in the profile folder. If it is deleted, it will be immediately generated by the browser again. Firefox also checks the system root certificates and automatically performs some imports. Here is a quotation from a Mozilla website (an important note was made bold by me): Quote Firefox will inspect the HKLM\SOFTWARE\Microsoft\SystemCertificates registry location (corresponding to the API flag CERT_SYSTEM_STORE_LOCAL_MACHINE) for CAs that are trusted to issue certificates for TLS web server authentication. Any such CAs will be imported and trusted by Firefox, although they may not appear in Firefox's certificate manager. Administration of these CAs should occur using built-in Windows tools or other third-party utilities. Firefox will also search the registry locations HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates and HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates (corresponding to the API flags CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY and CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE, respectively). If I was on Windows 7 and used Firefox 115 ESR there, I would first update to the latest version (at the moment 115.20.0 from February 2025). This does not improve a rubbish browser , but the certificates it contains should actually be up-to-date. And after performing a backup of the profile folder, one can import certificates until the doctor comes (German saying ) and then check whether it works or not. If not, delete the cert9.db file or restore the profile backup. It's as simple as that. Edited February 28 by AstroSkipper 3
AstroSkipper Posted March 1 Posted March 1 (edited) On the Mozilla Support website https://support.mozilla.org/en-US/kb/root-certificate-expiration, you can find this announcement: Quote Update Firefox to prevent add-ons issues from root certificate expiration Why is this update important? On March 14, 2025, a root certificate used to verify signed content and add-ons for various Mozilla projects, including Firefox, will expire. Without updating to Firefox version 128 or higher (or ESR 115.13+ for ESR users, including Windows 7/8/8.1 and macOS 10.12–10.14 users), this expiration may cause significant issues with add-ons, content signing and DRM-protected media playback. If you don’t update, Firefox features that rely on remote updates will stop working, and your installed add-ons will be disabled. DRM-protected content, such as streaming services, may also stop playing due to failed updates. Additionally, systems dependent on content verification could stop functioning properly. Who does this affect? This update is necessary for all Firefox users running versions earlier than 128 (or ESR versions earlier than ESR 115.13), including those using Firefox for Desktop on Windows, macOS and Linux, as well as Firefox for Android. If you were sent to this article through an in-app message in Firefox, it means your browser version is outdated and needs to be updated. In terms of Window 7 computers, this means that users of Firefox 115 ESR should update their browser at least to version 115.13 ESR to fix certificate problems. As far as I know, the nssckbi.dll file inside the Firefox programme folder defines the default set of trusted root certificates. The more recent this nssckbi.dll file, the more recent Firefox's default root certificates. Edited March 1 by AstroSkipper 2
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now