windows - Why firefox only trust certificate which certutil install?

Question

I recent research about certificate in windows.

I try two different way to install certificate:
1. Use certutil command to install. ex: certutil -addstore -f "ROOT" rootCA.pem
2. Use Microsoft api to install.

certStore = CertOpenSystemStore(NULL, "ROOT")
CertAddEncodedCertificateToStore(
    certStore,
    X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
    rootCACert,
    len(rootCACert),
    CERT_STORE_ADD_REPLACE_EXISTING,
    NULL
)

After installed, I use certmgr.msc to check it success.
And firefox's security.enterprise_roots.enabled set True.

But I found a strange situation.
Firefox only trust certificate which certutil install.

Can somebody tell me why?

Thanks in advance!

Answer 1

According to the Mozilla Wiki there are differences in Versions:

As of version 49, ... Firefox will inspect the HKLM\SOFTWARE\Microsoft\SystemCertificates registry location (corresponding to the API flag CERT_SYSTEM_STORE_LOCAL_MACHINE)

and

As of version 52, Firefox will also search the registry locations HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates and HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates (corresponding to the API flags CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY and CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE, respectively).

So it would be nice to know what version you use.

To answer your question: As the flags of the stores searched are named in the wiki it seems you are using the wrong store in your API solution. Have a look at the function CertOpenStore instead of CertOpenSystemStore. This allows to pass e.g. CERT_SYSTEM_STORE_LOCAL_MACHINE as dwFlags to open the store Mozilla searches.