Thank god they're fixing this. Can't wait for Java to also pick up third party certificates. Every time I install my personal CA certificate I need to go through every application and do the special certificate dance (in the case of Electron, modifying the launch arguments) because every application is opinionated about what certificates it should trust for some stupid reason.
Every OS has an API for this, why should I need to go into the special super secret debug settings to tell an application "trust the system you're running on and use the damn API already".
As I commented there, you've misunderstood this change.
There's a difference between certificates distributed with the OS and certificates added to the OS by a user. Right now Firefox ignores both.
This change ONLY picks up the certificates added to the OS by a user. Firefox will continue to ignore the certificates included with the OS store by default.
Literally in the bugzilla entry is stated either by user or administrator so either you misunderstood or you need to raise this directly to the bug for correction
EDIT: for clarity, something I should have done from the beginning, I checked the affected code, they clearly remove warnings around security.enterprise_roots.enabled preference and enable it by default. This is the preference that was added back in the day to control if the browser will allow root certificates added to the OS no matter the source (user or system context) and now they change it to true by default. I think this provides more clarity but feel free to search the affected code for references that indicate that only part of the root certificate store is trusted
Late so don't if you will see this, but from the very beginning, the security.enterprise_roots.enabled preference always stated it applied to certificates added, not those included by default, eg [0]. System vs User context is still different from baked-in vs added. On macOS for example the System keychain contains certificates added that are then accessible by all users and can only be added by an Administrator, and the separate System Roots keychain holds the root certificates (151 on the Mac I'm sitting in front of) that Apple ships with the OS. Firefox reading from both the "login" and "System" keychains doesn't mean reading from "System Roots". The suggested release notes for the bug report you linked reinforces this [1] (capitalization emphasis added):
>[Suggested wording]: By default, Firefox will now use TLS trust anchors (e.g., certificates) ADDED to the operating system by the user or an administrator. This works on Windows, macOS, and Android, and it can be turned off in the "Privacy & Security" section of Firefox settings, under "Certificates".
If you think all of these descriptions have been wrong all along from the code, that'd definitely be worth bringing up on Bugzilla. Personally I'm happy to have it enabled by default vs always needing to remember to do so if it's working as described. I think support for one's own CAs should be encouraged even the overall UX around running your own CA is mediocre right now.
>"Mozilla has added an Enterprise Roots preference to Firefox as a solution to the problem. This preference can be used to import any root certificate authorities (CAs) that have been added to the operating system, to resolve your TLS connection error. You can determine if a website is relying on an imported root certificate by clicking the Site Information icon in the address bar."
Every OS has an API for this, why should I need to go into the special super secret debug settings to tell an application "trust the system you're running on and use the damn API already".