Tutorial :Programmatically Install Certificate into Mozilla



Question:

Is there a way to programmatically install a certificate into mozilla? We're trying to script everything to eliminate deviations in environment so installing it by hand through mozilla preferences does not work for our needs. I assume theres a way to do it with certutil, but I am not sure of Mozilla's internals, etc.


Solution:1

The easiest way is to import the certificate into a sample firefox-profile and then copy the cert8.db to the users you want equip with the certificate.

First import the certificate by hand into the firefox profile of the sample-user. Then copy

  • /home/${USER}/.mozilla/firefox/${randomalphanum}.default/cert8.db (Linux/Unix)

  • %userprofile%\Application Data\Mozilla\Firefox\Profiles\%randomalphanum%.default\cert8.db (Windows)

into the users firefox-profiles. That's it. If you want to make sure, that new users get the certificate automatically, copy cert8.db to:

  • /etc/firefox-3.0/profile (Linux/Unix)

  • %programfiles%\firefox-installation-folder\defaults\profile (Windows)


Solution:2

Here is an alternative way that doesn't override the existing certificates: [bash fragment for linux systems]

certificateFile="MyCa.cert.pem"  certificateName="MyCA Name"   for certDB in $(find  ~/.mozilla* ~/.thunderbird -name "cert8.db")  do    certDir=$(dirname ${certDB});    #log "mozilla certificate" "install '${certificateName}' in ${certDir}"    certutil -A -n "${certificateName}" -t "TCu,Cuw,Tuw" -i ${certificateFile} -d ${certDir}  done  

You may find certutil in the libnss3-tools package (debian/ubuntu).

Source:
http://web.archive.org/web/20150622023251/http://www.computer42.org:80/xwiki-static/exported/DevNotes/xwiki.DevNotes.Firefox.html

See also:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil


Solution:3

Just wanted to add to an old thread to hopefully aid other people. I needed programmatically add a cert to the firefox database using a GPO, this was how I did it for Windows

1, First download and unzip the precompiled firefox NSS nss-3.13.5-nspr-4.9.1-compiled-x86.zip

2, Add the cert manually to firefox Options-->Advanced--Certificates-->Authorities-->Import

3, from the downloaded NSS package, run

certutil -L -d c:\users\[username]\appdata\roaming\mozilla\firefox\[profile].default      

4, The above query will show you the certificate name and Trust Attributes e.g.

my company Ltd                                CT,C,C      

5, Delete the certificate in step 2. Options-->Advanced--Certificates-->Authorities-->Delete

6, Create a powershell script using the information from step 4 as follows. This script will get the users profile path and add the certificate. This only works if the user has one firefox profile (need somehow to retrieve the users firefox folder profile name)

#Script adds Radius Certificate to independent Firefox certificate store since the browser does not use the Windows built in certificate store          #Get Firefox profile cert8.db file from users windows profile path  $ProfilePath = "C:\Users\" + $env:username + "\AppData\Roaming\Mozilla\Firefox\Profiles\"  $ProfilePath = $ProfilePath + (Get-ChildItem $ProfilePath | ForEach-Object { $_.Name }).ToString()    #Update firefox cert8.db file with Radius Certificate  certutil -A -n "UK my company" -t "CT,C,C" -i CertNameToAdd.crt -d $ProfilePath      

7, Create GPO as a User Configuration to run the PowerShell script

Hope that helps save someone time


Solution:4

On Windows 7 with Firefox 10, the cert8.db file is stored at %userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\########.default\cert8.db. If you are an administrator, you can probably write a simple WMI application to copy the file to the User's respective folder.

Also, a solution that worked for me from http://www.appdeploy.com/messageboards/tm.asp?m=52532&mpage=1&key=&#52532

  1. Copied CERTUTIL.EXE from the NSS zip file ( http://www.mozilla.org/projects/security/pki/nss/tools/ ) to C:\Temp\CertImport (I also placed the certificates I want to import there)

  2. Copied all the dll's from the NSS zip file to C\:Windows\System32

  3. Created a BAT file in %Appdata%\mozilla\firefox\profiles with this script...

    Set FFProfdir=%Appdata%\mozilla\firefox\profiles   Set CERTDIR=C:\Temp\CertImport   DIR /A:D /B > "%Temp%\FFProfile.txt"   FOR /F "tokens=*" %%i in (%Temp%\FFProfile.txt) do (   CD /d "%FFProfDir%\%%i"   COPY cert8.db cert8.db.orig /y   For %%x in ("%CertDir%\Cert1.crt") do "%Certdir%\certutil.exe" -A -n "Cert1" -i "%%x" -t "TCu,TCu,TCu" -d .   For %%x in ("%CertDir%\Cert2.crt") do "%Certdir%\certutil.exe" -A -n "Cert2" -i "%%x" -t "TCu,TCu,TCu" -d .   )   DEL /f /q "%Temp%\FFProfile.txt"   
  4. Executed the BAT file with good results.


Solution:5

Firefox now (since 58) uses a SQLite database cert9.db instead of legacy cert8.db. I have made a fix to a solution presented here to make it work with new versions of Firefox:

certificateFile="MyCa.cert.pem"  certificateName="MyCA Name"   for certDB in $(find  ~/.mozilla* ~/.thunderbird -name "cert9.db")  do    certDir=$(dirname ${certDB});    #log "mozilla certificate" "install '${certificateName}' in ${certDir}"    certutil -A -n "${certificateName}" -t "TCu,Cuw,Tuw" -i ${certificateFile} -d sql:${certDir}  done  


Solution:6

I had a similar issue on a client site where the client required a authority certificate to be installed automatically for 2000+ windows users.

I created the following .vbs script to import the certificate into the current logged on users firefox cert store.

The script needs to be put in the directory containing a working copy of certutil.exe (the nss version) but programatically determines the firefox profiles location.

Option Explicit    On error resume next    Const DEBUGGING              = true  const SCRIPT_VERSION        = 0.1  Const EVENTLOG_WARNING      = 2  Const CERTUTIL_EXCUTABLE    = "certutil.exe"  Const ForReading = 1      Dim strCertDirPath, strCertutil, files, slashPosition, dotPosition, strCmd, message  Dim file, filename, filePath, fileExtension    Dim WshShell            : Set WshShell            = WScript.CreateObject("WScript.Shell")  Dim objFilesystem      : Set objFilesystem    = CreateObject("Scripting.FileSystemObject")   Dim certificates        : Set certificates      = CreateObject("Scripting.Dictionary")  Dim objCertDir  Dim UserFirefoxDBDir  Dim UserFirefoxDir  Dim vAPPDATA  Dim objINIFile  Dim strNextLine,Tmppath,intLineFinder, NickName    vAPPDATA = WshShell.ExpandEnvironmentStrings("%APPDATA%")   strCertDirPath    = WshShell.CurrentDirectory  strCertutil      = strCertDirPath & "\" & CERTUTIL_EXCUTABLE  UserFirefoxDir = vAPPDATA & "\Mozilla\Firefox"  NickName = "Websense Proxy Cert"      Set objINIFile = objFilesystem.OpenTextFile( UserFireFoxDir & "\profiles.ini", ForReading)    Do Until objINIFile.AtEndOfStream      strNextLine = objINIFile.Readline        intLineFinder = InStr(strNextLine, "Path=")      If intLineFinder <> 0 Then          Tmppath = Split(strNextLine,"=")          UserFirefoxDBDir = UserFirefoxDir & "\" & replace(Tmppath(1),"/","\")        End If    Loop  objINIFile.Close    'output UserFirefoxDBDir    If objFilesystem.FolderExists(strCertDirPath) And objFilesystem.FileExists(strCertutil) Then      Set objCertDir = objFilesystem.GetFolder(strCertDirPath)      Set files = objCertDir.Files        For each file in files          slashPosition = InStrRev(file, "\")          dotPosition  = InStrRev(file, ".")          fileExtension = Mid(file, dotPosition + 1)          filename      = Mid(file, slashPosition + 1, dotPosition - slashPosition - 1)            If LCase(fileExtension) = "cer" Then                      strCmd = chr(34) & strCertutil & chr(34) &" -A -a -n " & chr(34) & NickName & chr(34) & " -i " & chr(34) & file & chr(34) & " -t " & chr(34) & "TCu,TCu,TCu" & chr(34) & " -d " & chr(34) & UserFirefoxDBDir & chr(34)              'output(strCmd)              WshShell.Exec(strCmd)          End If              Next              WshShell.LogEvent EVENTLOG_WARNING, "Script: " & WScript.ScriptFullName & " - version:" & SCRIPT_VERSION & vbCrLf & vbCrLf & message  End If    function output(message)      If DEBUGGING Then          Wscript.echo message      End if  End function    Set WshShell  = Nothing  Set objFilesystem = Nothing  


Solution:7

I was trying to achieve the same thing in Powershell and wrote a script to perform various functions that can be interactively selected. Of course, it's fairly easy to modify the script to automate certain things instead of provide options.

I'm an Infrastructure guy rather than a coder/programmer, so apologies if it's a bit cumbersome (but it does work!!).

Save the following as a PS1:

##################################################################################################  #    # NAME: RegisterFireFoxCertificates.ps1  #    # AUTHOR: Andy Pyne  #   # DATE  : 22.07.2015  #    # COMMENT: To provide options for listing, adding, deleting and purging  # FireFox Certificates using Mozilla's NSS Util CertUtil  # Source: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil  #  # NOTE: You need a copy of the NSS Util CertUtil and it's associated dll's  # The specific files I used were:  #   # certutil.exe, fort32.dll, freebl3.dll, libnspr4.dll, libplc4.dll, libplds4.dll, nspr4.dll,   # nss3.dll, nssckbi.dll, nssdbm3.dll, nssutil3.dll, plc4.dll, plds4.dll, smime3.dll,   # softokn3.dll, sqlite3.dll, ssl3.dll, swft32.dll  #  ##################################################################################################    ##################################################################################################    # Setup a few parameters  $ErrorActionPreference = "Silentlycontinue"  $ExecutionPolicyOriginal = Get-ExecutionPolicy  $FireFoxExecutable = "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe"     # This is the Firefox certificate database  $CertDB = "Cert8.db"    # The Certificate Nickname is a name you want to see on the certificates that you've imported in - so you know they were imported by this process  # However, when you look at the certificates in Firefox, they will be listed under whatever the certificate name was when it was generated  # So if your certificate is listed as 'Company123' when imported, it will still be called that as the Common Name, but when you click to view  # it, you will see that the first item in the Certificate Fields is what you 'nicknamed' it.  $CertificateNickname = "MyCompanyName FF AutoImport Cert"    # The Legacy Certificates are specific/explicit certificates which you wish to delete (The 'purge' option later in the script references these items)  $LegacyCertificates = @("OldCertificate1", "Company Cert XYZ", "Previous Company name", "Unwanted Certificate - 7", "123APTEST123")    # This is the list of databases / Firefox profiles on the machine  $FFDBList = @()    # Making sure our temporary directory is empty  $FFCertLocationLocal = "C:\FFCertTemp"    # The remote location of the certificates and   $FFCertLocationRemote = "\\myUNC\NETLOGON\FireFoxCert\"    # The local CertUtil executable (this is copied from the remote location above)  $FFCertTool = "$FFCertLocationLocal\CertUtil.exe"    # Making sure our temporary directory is empty  Remove-Item $FFCertLocationLocal -Recurse  New-Item -ItemType Directory -Path $FFCertLocationLocal    ##################################################################################################    ##################################################################################################      Clear    # We're going to get a list of the Firefox processes on the machine that are open and close them  # Otherwise the add/delete parts might not be successful with Firefox still running  $FireFoxRunningProcessesList = Get-Process | Where-Object {$_.Name -Match "FireFox"} | Select-Object ProcessName,Id | Format-Table -AutoSize  $FireFoxRunningProcesses = Get-Process | Where-Object {$_.Name -Match "FireFox"} | Select-Object -ExpandProperty Id  If (!$FireFoxRunningProcesses) {}  Else {  Write-Host "The following processes will be stopped to perform certificate manipulation:"  $FireFoxRunningProcessesList  $TerminateProcessQuestion = Read-Host "To auto-terminate (ungracefully!) processes, press 'Y', otherwise, press any other key"  If ($TerminateProcessQuestion -ne 'y') {  Clear  Write-Host "Cannot continue as Firefox process is still running, ending script ..."  Exit}   Else {ForEach ($FireFoxRunningProcess in $FireFoxRunningProcesses) {  [Int]$FireFoxRunningProcess = [Convert]::ToInt32($FireFoxRunningProcess, 10)  Stop-Process -Id $FireFoxRunningProcess -Force}}  }    ##################################################################################################    ##################################################################################################    # The remote files (certificates and the NSS Tools CertUtil files are copied locally)  $FFCertificateListItemRemote = Get-ChildItem $FFCertLocationRemote -Recurse -Include *.cer,*.dll,certutil.exe  ForEach ($FFCertificateItemRemote in $FFCertificateListItemRemote) {  Copy-Item $FFCertificateItemRemote.FullName -Destination $FFCertLocationLocal}    # Get a list of the local certificates  $FFCertificateListLocal = Get-ChildItem $FFCertLocationLocal -Recurse -filter *.cer    Clear  Set-ExecutionPolicy "Unrestricted"    # Find all Firefox profiles and create an array called FFDBList  # Of course, you'll only be able to get to the ones your permissions allow  $LocalProfiles = Get-ChildItem "C:\Users" | Select-Object -ExpandProperty FullName  ForEach ($LocalProfile in $LocalProfiles) {  $FFProfile = Get-ChildItem "$LocalProfile\AppData\Roaming\Mozilla\Firefox\Profiles" | Select-Object -ExpandProperty FullName  If (!$FFProfile) {Write-Host "There is no Firefox Profile for $LocalProfile"}  ELSE {$FFDBList += $FFProfile}  }    Clear  Write-Host "#################################"  Write-Host "The List of FireFox Profiles is:"  Write-Host "#################################"  $FFDBList  PAUSE    ##################################################################################################    ##################################################################################################    # Setup 4x functions (List, Delete, Add and Purge)  #  # - List will simply list certificates from the Firefox profiles  #  # - Delete will delete the certificates the same as the certificates you're going to add back in  #   So for example, if you have 2x certificates copied earlier for import, 'CompanyA' and 'CompanyZ'  #   then you can delete certificates with these names beforehand. This will prevent the   #   certificates you want to import being skipped/duplicated because they already exist  #  # - Add will simply add the list of certificates you've copied locally  #  # - Purge will allow you to delete 'other' certificates that you've manually listed in the  #   variable '$LegacyCertificates' at the top of the script    # Each of the functions perform the same 4x basic steps  #  # 1) Do the following 3x things for each of the Firefox profiles  # 2) Do the 2x following things for each of the certificates  # 3) Generate an expression using parameters based on the certificate nickname specified  #    earlier, and the profile and certificate informaiton  # 4) Invoke the expression    Function ListCertificates {  Write-Host "#############################"  ForEach ($FFDBItem in $FFDBList) {  $FFCertificateListItemFull = $FFCertificateListItem.FullName  Write-Host "Listing Certificates for $FFDBitem"  $ExpressionToListCerts = "$FFCertTool -L -d `"$FFDBItem`""  Invoke-Expression $ExpressionToListCerts  }  PAUSE}    Function DeleteOldCertificates {  Write-Host "#############################"  ForEach ($FFDBItem in $FFDBList) {  ForEach ($FFCertificateListItem in $FFCertificateListLocal) {  $FFCertificateListItemFull = $FFCertificateListItem.FullName  Write-Host "Deleting Cert $FFCertificateListItem for $FFDBitem"  $ExpressionToDeleteCerts = "$FFCertTool -D -n `"$CertificateNickname`" -d `"$FFDBItem`""  Invoke-Expression $ExpressionToDeleteCerts  }}  PAUSE}    Function AddCertificates {  Write-Host "#############################"  ForEach ($FFDBItem in $FFDBList) {  ForEach ($FFCertificateListItem in $FFCertificateListLocal) {  $FFCertificateListItemFull = $FFCertificateListItem.FullName  Write-Host "Adding $FFCertificateListItem Cert for $FFDBitem"  $ExpressionToAddCerts = "$FFCertTool -A -n `"$CertificateNickname`" -t `"CT,C,C`" -d `"$FFDBItem`" -i `"$FFCertificateListItemFull`""  Write-Host $ExpressionToAddCerts  Invoke-Expression $ExpressionToAddCerts  #PAUSE  }}  PAUSE}    Function PurgeLegacyCertificates {  Write-Host "#############################"  ForEach ($FFDBItem in $FFDBList) {  ForEach ($LegacyCertificateItem in $LegacyCertificates) {  $LegacyCertificateItemFull = $LegacyCertificateItem.FullName  Write-Host "Purging Old Certs ($LegacyCertificateItem) for $FFDBitem"  #$ExpressionToDeleteLegacyCerts = "$FFCertTool -D -n `"$OldCertificate`" -d `"$FFDBItem`""  $ExpressionToDeleteLegacyCerts = "$FFCertTool -D -n `"$LegacyCertificateItem`" -d `"$FFDBItem`""  ForEach ($LegacyCertificate in $LegacyCertificates) {  Invoke-Expression $ExpressionToDeleteLegacyCerts}  }}  PAUSE}    ##################################################################################################    ##################################################################################################        # Creating a few options to invoke the various functions created above    $CertificateAction = ""    Function CertificateActionSelection {  Do {  Clear  $CertificateAction = Read-Host "Would you like to [L]ist all certificates [D]elete all old certificates, [A]dd new certificates, or [P]urge legacy certificates?"  } Until ($CertificateAction -eq "L" -or $CertificateAction -eq "D" -or $CertificateAction -eq "A" -or $CertificateAction -eq "P" )    If ($CertificateAction -eq "L") {ListCertificates}  If ($CertificateAction -eq "D") {DeleteOldCertificates}  If ($CertificateAction -eq "A") {AddCertificates}  If ($CertificateAction -eq "P") {PurgeLegacyCertificates}  }    Do {  Clear  $MoreCertificateActions = Read-Host "Would you like to [L]aunch Firefox (as $env:USERNAME), take a [C]ertificate action, or [Q]uit?"  If ($MoreCertificateActions -eq "L") {  Invoke-Item $FireFoxExecutable  Exit}  If ($MoreCertificateActions -eq "C") {CertificateActionSelection}    } Until ($MoreCertificateActions -eq "Q")    Remove-Item $FFCertLocationLocal -Recurse  Set-ExecutionPolicy $ExecutionPolicyOriginal    Exit  

Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Previous
Next Post »