Make Firefox on MacOS trust CA certificates from system keychain

README.md

Add a self-signed TLS certificate to MacOS system keychain, and make Firefox trust it

Tested on MacOS 11.6.4

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain $FILENAME.crt
bash firefox_enable_enterprise_roots_macos.sh

firefox_enable_enterprise_roots_macos.sh

#!/bin/bash

# Firefox has a separate CA store. To make it trust the global OS store, it needs either
# `about:config` entry, or enterprise policy (https://github.com/mozilla/policy-templates)
function firefox_enable_enterprise_roots {
  # Find all Firefox installations, and enable enterprise policy for each if not yet done
  declare -a FIREFOX_FOLDERS=("/Applications/Firefox.app" "/Applications/Firefox Developer Edition.app" "/Applications/Firefox Nightly.app")
  for FX_FOLDER in "${FIREFOX_FOLDERS[@]}"
  do
    if [ -d "$FX_FOLDER" ]; then
      POLICIES_FOLDER="$FX_FOLDER/Contents/Resources/distribution"
      POLICIES_FILE="$POLICIES_FOLDER/policies.json"

      if [ ! -f "$POLICIES_FILE" ]; then
        mkdir -p "$POLICIES_FOLDER"
        echo "Enabling 'ImportEnterpriseRoots' in $FX_FOLDER..."
        cat << EOF > "$POLICIES_FILE"
{
  "policies": {
    "Certificates": {
      "ImportEnterpriseRoots": true
    }
  }
}
EOF
      fi
    fi
  done
}

firefox_enable_enterprise_roots

Doesn't seem to work on Mac 12.6

@Janaka-Steph what is the issue exactly, more detailed? Just tested, works for me on Mac 12.6.

There's a Firefox bug though: the policies.json file gets deleted on Firefox update, so you need to re-run the script.

I logged a ticket in bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1792595

Sorry, it seems that my issue is actually different. I suspect my self signed certificate has been rejected because it contains basicConstraints extension CA = true, but should be generated without it.
See: https://stackoverflow.com/questions/59738140/why-is-firefox-not-trusting-my-self-signed-certificate