Firefox 3.5.x Automating certificate Install
Hi all,
We are looking at delivering Firefox 3.5.2 in a corporate environment. I've got most of the settings cracked (very useful post here - http://itninja.com/question/gnu,-freeware-and-shareware-programs-to-cloning8212&mpage=1&key=firefox뱔 and I work with Rob)
But we need to install a trusted root certificate (called "Authorities" in FF) and at the moment it looks like its going to be a manual import process for end users. There doesn't seem to be a way (command line utility or whatever) to register the .CER file automatically.
For Internet Explorer this can be managed using group policy and we need an automated solution for Firefox.
This article is interesting but I'm not a developer so wouldn't know where to start
http://www.mozilla.org/projects/security/pki/nss/tools/index.html
Cheers
Rich
We are looking at delivering Firefox 3.5.2 in a corporate environment. I've got most of the settings cracked (very useful post here - http://itninja.com/question/gnu,-freeware-and-shareware-programs-to-cloning8212&mpage=1&key=firefox뱔 and I work with Rob)
But we need to install a trusted root certificate (called "Authorities" in FF) and at the moment it looks like its going to be a manual import process for end users. There doesn't seem to be a way (command line utility or whatever) to register the .CER file automatically.
For Internet Explorer this can be managed using group policy and we need an automated solution for Firefox.
This article is interesting but I'm not a developer so wouldn't know where to start
http://www.mozilla.org/projects/security/pki/nss/tools/index.html
Cheers
Rich
2 Comments
[ + ] Show comments
Answers (18)
Please log in to answer
Posted by:
mikkojarvinen
15 years ago
ORIGINAL: timmsie
But we need to install a trusted root certificate (called "Authorities" in FF) and at the moment it looks like its going to be a manual import process for end users. There doesn't seem to be a way (command line utility or whatever) to register the .CER file automatically.
Import the root certificate into Firefox and after that grab the file [font="courier new"]cert8.db under
[blockquote][font="courier new"]%userprofile%\Application Data\Mozilla\Firefox\Profiles\########.default
[/blockquote]Then deploy [font="courier new"]cert8.db some way to users. We've put the file into Firefox default profile
[blockquote][font="courier new"]%programfiles%\firefox-installation-folder\defaults\profile
[/blockquote]to make sure new Firefox users always have the the cert8.db file in their Firefox profiles.
I admit that deploying a whole cert database file is different (and more robust) way than importing a certificate.
--
Mikko Järvinen
Posted by:
shadow431
14 years ago
My work has the same thing, but some users already have their own certificates added to Firefox. If we just replace all the cert8.db files, they will loose those, right? I have searched and so far all I can find is custom compiling of Firefox, or as said above, having the users manually import them. Has anyone found a different solution?
Posted by:
vinoprocks
13 years ago
hi everyone, u han use certuitl.exe to import the certifcates to firefox profiles through command prompt. just a week back i did it and worked out. Try this.Use certutil.exe for adding third party certificates. Its just add the certificates to the cert8.db and not overwrites it. And even u can remove a particular certificate using certutil.exe.
Posted by:
IT2428
13 years ago
Posted by:
IT2428
13 years ago
Yes, I'm serious.
I figured out (through research online) how to add certificates to the Trusted Root Certification Authorities in VB.NET 2005 but I am having a tougher time figuring out how to add something like that programmatically to Firefox's certificate authority. If you have good ideas on how to do that, let me know.
I figured out (through research online) how to add certificates to the Trusted Root Certification Authorities in VB.NET 2005 but I am having a tougher time figuring out how to add something like that programmatically to Firefox's certificate authority. If you have good ideas on how to do that, let me know.
Posted by:
IT2428
13 years ago
Here is link to show what I have found so far.... https://support.mozilla.com/ga-IE/questions/687296#answer-145542
Thanks for you input...
Thanks for you input...
Posted by:
nheim
13 years ago
Hi IT,
you are missing an fundamental thing here: The mozilla products, like Firefox use their own certificate store and own version of Certutil.exe!
So, use the certutil.exe from the NSS-tools 3.12.7, which you can download from the link, you mentioned in post #11.
Regards, Nick
you are missing an fundamental thing here: The mozilla products, like Firefox use their own certificate store and own version of Certutil.exe!
So, use the certutil.exe from the NSS-tools 3.12.7, which you can download from the link, you mentioned in post #11.
Regards, Nick
Comments:
-
I downloaded NSS from https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_15_RTM/src/ but in the Package there is no certutil.exe. I also tried downloading Version 3.12.7, it doesn't contain certutil.exe either. - EbrithilBowser 11 years ago
Posted by:
IT2428
13 years ago
Hi Nick,
This how I finally got it to work...
1. Copied CERTUTIL.EXE from the NSS zip file to "C:\Temp\CertImport" (I also placed the certificates I want to import there)
2. Copied all the dll's from the NSS zip file to "C\:Windows\System32"
3. Created a BAT file in "%Appdata%\mozilla\firefox\profiles" with this script...
Set FFProfdir=%Appdata%\mozilla\firefox\profiles
Set CERTDIR=C:\Temp\CertImport
DIR /A:D /B > "%Temp%\FFProfile.txt"
FOR /F "tokens=*" %%i in (%Temp%\FFProfile.txt) do (
CD /d "%FFProfDir%\%%i"
COPY cert8.db cert8.db.orig /y
For %%x in ("%CertDir%\Cert1.crt") do "%Certdir%\certutil.exe" -A -n "Cert1" -i "%%x" -t "TCu,TCu,TCu" -d .
For %%x in ("%CertDir%\Cert2.crt") do "%Certdir%\certutil.exe" -A -n "Cert2" -i "%%x" -t "TCu,TCu,TCu" -d .
)
DEL /f /q "%Temp%\FFProfile.txt"
4. Executed the BAT file with good results.
Your help got me on the right track! Thank you!
This how I finally got it to work...
1. Copied CERTUTIL.EXE from the NSS zip file to "C:\Temp\CertImport" (I also placed the certificates I want to import there)
2. Copied all the dll's from the NSS zip file to "C\:Windows\System32"
3. Created a BAT file in "%Appdata%\mozilla\firefox\profiles" with this script...
Set FFProfdir=%Appdata%\mozilla\firefox\profiles
Set CERTDIR=C:\Temp\CertImport
DIR /A:D /B > "%Temp%\FFProfile.txt"
FOR /F "tokens=*" %%i in (%Temp%\FFProfile.txt) do (
CD /d "%FFProfDir%\%%i"
COPY cert8.db cert8.db.orig /y
For %%x in ("%CertDir%\Cert1.crt") do "%Certdir%\certutil.exe" -A -n "Cert1" -i "%%x" -t "TCu,TCu,TCu" -d .
For %%x in ("%CertDir%\Cert2.crt") do "%Certdir%\certutil.exe" -A -n "Cert2" -i "%%x" -t "TCu,TCu,TCu" -d .
)
DEL /f /q "%Temp%\FFProfile.txt"
4. Executed the BAT file with good results.
Your help got me on the right track! Thank you!
Posted by:
teasy30
13 years ago
Set FFProfdir=%Appdata%\mozilla\firefox\profiles
Set FFProfdir=%Appdata%\mozilla\firefox\profiles
Set CERTDIR=C:\Temp\CertImport
DIR /A:D /B > "%Temp%\FFProfile.txt"
i think, that there is missing something in the script ...
You want to get the names of the profile directories under the path you have set in "FFProfdir" with the line "DIR /A:D /B > -.... "
if you leave this line like it is, you only get the names of the directories under the current path, in which you start the script
You should add the directory variable to the line
DIR "%FFProfDir%" /A:D /B > "%Temp%\FFProfile.txt"
now the script will work in every directory
Posted by:
CRS162
12 years ago
FYI, I made a vb-script for importing the certificates. Have not tested thoroughly, seems to work. Feedback or improvements are more then welcome.
[font="courier new"]
' Syntax : cert_import.vbs path <certutil>
' Argument(s) : path - Path to a directory where certificates a located.
' certutil - Path to a directory where certutil.exe resides. If not supplied we assume
' certutil.exe to reside in the certificate directory.
' Output : Import certificates (*.crt) from the certificate directory into
' the certificate store of Firefox.
'
' Note(s) : The CERTUTIL.EXE used by this script comes from NSS Security Tools.
' You have to compile the souce code to Windows binary to be able to use it on Windows.
' See: http://www.mozilla.org/projects/security/pki/nss/tools/
'
' Revisions : 0.1 - initial version
'
'
Option Explicit
On error resume next
Const DEBUGGING = true
const SCRIPT_VERSION = 0.1
Const EVENTLOG_WARNING = 2
Const CERTUTIL_EXCUTABLE = "certutil.exe"
Dim strCertDirPath, strCertutil, files, slashPosition, dotPosition, strCmd, message
Dim file, filename, filePath, fileExtension
Dim WshShell : Set WshShell = WScript.CreateObject("WScript.Shell")
Dim objFilesystem : Set objFilesystem = CreateObject("Scripting.FileSystemObject")
Dim certificates : Set certificates = CreateObject("Scripting.Dictionary")
Dim objCertDir
If WScript.Arguments.Count = 1 Then
strCertDirPath = WScript.Arguments(0)
strCertutil = strCertDirPath & "\" & CERTUTIL_EXCUTABLE
ElseIf WScript.Arguments.Count = 2 Then
strCertDirPath = WScript.Arguments(0)
strCertutil = WScript.Arguments(1)
Else
Wscript.echo "Invalid syntax. Correct syntax: " & WScript.ScriptFullName & " PATH_CERTIFICATE_DIRECTORY <PATH_NSS_CERTUTIL>"
End If
If objFilesystem.FolderExists(strCertDirPath) And objFilesystem.FileExists(strCertutil) Then
Set objCertDir = objFilesystem.GetFolder(strCertDirPath)
Set files = objCertDir.Files
For each file in files
slashPosition = InStrRev(file, "\")
dotPosition = InStrRev(file, ".")
fileExtension = Mid(file, dotPosition + 1)
filename = Mid(file, slashPosition + 1, dotPosition - slashPosition - 1)
If LCase(fileExtension) = "crt" Then
strCmd = chr(34) & strCertutil & chr(34) &" -A -n " & chr(34) & filename & chr(34) & " -i " & chr(34) & file & chr(34) & " -t " & chr(34) & "TCu,TCu,TCu" & chr(34) & " -d"
output(strCmd)
WshShell.Exec(strCmd)
End If
Next
Else
message = "Either directory: " & strCertDirPath & ", does not exists or certutil.exe was not found here: " & strCertutil & "."
WshShell.LogEvent EVENTLOG_WARNING, "Script: " & WScript.ScriptFullName & " - version:" & SCRIPT_VERSION & vbCrLf & vbCrLf & message
End If
function output(message)
If DEBUGGING Then
Wscript.echo message
End if
End function
Set WshShell = Nothing
Set objFilesystem = Nothing
[font="courier new"]
' Syntax : cert_import.vbs path <certutil>
' Argument(s) : path - Path to a directory where certificates a located.
' certutil - Path to a directory where certutil.exe resides. If not supplied we assume
' certutil.exe to reside in the certificate directory.
' Output : Import certificates (*.crt) from the certificate directory into
' the certificate store of Firefox.
'
' Note(s) : The CERTUTIL.EXE used by this script comes from NSS Security Tools.
' You have to compile the souce code to Windows binary to be able to use it on Windows.
' See: http://www.mozilla.org/projects/security/pki/nss/tools/
'
' Revisions : 0.1 - initial version
'
'
Option Explicit
On error resume next
Const DEBUGGING = true
const SCRIPT_VERSION = 0.1
Const EVENTLOG_WARNING = 2
Const CERTUTIL_EXCUTABLE = "certutil.exe"
Dim strCertDirPath, strCertutil, files, slashPosition, dotPosition, strCmd, message
Dim file, filename, filePath, fileExtension
Dim WshShell : Set WshShell = WScript.CreateObject("WScript.Shell")
Dim objFilesystem : Set objFilesystem = CreateObject("Scripting.FileSystemObject")
Dim certificates : Set certificates = CreateObject("Scripting.Dictionary")
Dim objCertDir
If WScript.Arguments.Count = 1 Then
strCertDirPath = WScript.Arguments(0)
strCertutil = strCertDirPath & "\" & CERTUTIL_EXCUTABLE
ElseIf WScript.Arguments.Count = 2 Then
strCertDirPath = WScript.Arguments(0)
strCertutil = WScript.Arguments(1)
Else
Wscript.echo "Invalid syntax. Correct syntax: " & WScript.ScriptFullName & " PATH_CERTIFICATE_DIRECTORY <PATH_NSS_CERTUTIL>"
End If
If objFilesystem.FolderExists(strCertDirPath) And objFilesystem.FileExists(strCertutil) Then
Set objCertDir = objFilesystem.GetFolder(strCertDirPath)
Set files = objCertDir.Files
For each file in files
slashPosition = InStrRev(file, "\")
dotPosition = InStrRev(file, ".")
fileExtension = Mid(file, dotPosition + 1)
filename = Mid(file, slashPosition + 1, dotPosition - slashPosition - 1)
If LCase(fileExtension) = "crt" Then
strCmd = chr(34) & strCertutil & chr(34) &" -A -n " & chr(34) & filename & chr(34) & " -i " & chr(34) & file & chr(34) & " -t " & chr(34) & "TCu,TCu,TCu" & chr(34) & " -d"
output(strCmd)
WshShell.Exec(strCmd)
End If
Next
Else
message = "Either directory: " & strCertDirPath & ", does not exists or certutil.exe was not found here: " & strCertutil & "."
WshShell.LogEvent EVENTLOG_WARNING, "Script: " & WScript.ScriptFullName & " - version:" & SCRIPT_VERSION & vbCrLf & vbCrLf & message
End If
function output(message)
If DEBUGGING Then
Wscript.echo message
End if
End function
Set WshShell = Nothing
Set objFilesystem = Nothing
Comments:
-
Hi,
I've been looking into this and this script and other similar all import the certificate but I can't set the "this certificate can identify web sites" value which defeats the purpose.
Has anyone managed to do this?
Thanks
Damien - theatrebyte 11 years ago
Posted by:
Matt5150
12 years ago
ORIGINAL: CRS162
FYI, I made a vb-script for importing the certificates. Have not tested thoroughly, seems to work. Feedback or improvements are more then welcome.
[font="courier new"]
' Syntax     : cert_import.vbs path <certutil>
' Argument(s) : path     - Path to a directory where certificates a located.
'              certutil - Path to a directory where certutil.exe resides. If not supplied we assume
'                           certutil.exe to reside in the certificate directory.
' Output     : Import certificates (*.crt) from the certificate directory into
'              the certificate store of Firefox.
'
' Note(s)    : The CERTUTIL.EXE used by this script comes from NSS Security Tools.
'              You have to compile the souce code to Windows binary to be able to use it on Windows.
'              See: http://www.mozilla.org/projects/security/pki/nss/tools/
'
' Revisions  : 0.1 - initial version
'
'
Option Explicit
On error resume next
Const DEBUGGING             = true
const SCRIPT_VERSION        = 0.1
Const EVENTLOG_WARNING      = 2
Const CERTUTIL_EXCUTABLE    = "certutil.exe"
Dim strCertDirPath, strCertutil, files, slashPosition, dotPosition, strCmd, message
Dim file, filename, filePath, fileExtension
Dim WshShell          : Set WshShell          = WScript.CreateObject("WScript.Shell")
Dim objFilesystem      : Set objFilesystem    = CreateObject("Scripting.FileSystemObject")
Dim certificates       : Set certificates     = CreateObject("Scripting.Dictionary")
Dim objCertDir
If WScript.Arguments.Count = 1 Then
  strCertDirPath   = WScript.Arguments(0)
  strCertutil      = strCertDirPath & "\" & CERTUTIL_EXCUTABLE
ElseIf WScript.Arguments.Count = 2 Then
  strCertDirPath   = WScript.Arguments(0)
  strCertutil      = WScript.Arguments(1)
Else
  Wscript.echo "Invalid syntax. Correct syntax: " & WScript.ScriptFullName & " PATH_CERTIFICATE_DIRECTORY <PATH_NSS_CERTUTIL>"
End If
If objFilesystem.FolderExists(strCertDirPath) And objFilesystem.FileExists(strCertutil) Then
  Set objCertDir = objFilesystem.GetFolder(strCertDirPath)
  Set files = objCertDir.Files
 ÂÂ
  For each file in files
     slashPosition = InStrRev(file, "\")
     dotPosition  = InStrRev(file, ".")
     fileExtension = Mid(file, dotPosition + 1)
     filename     = Mid(file, slashPosition + 1, dotPosition - slashPosition - 1)
    ÂÂ
     If LCase(fileExtension) = "crt" Then     ÂÂ
        strCmd = chr(34) & strCertutil & chr(34) &" -A -n " & chr(34) & filename & chr(34) & " -i " & chr(34) & file & chr(34) & " -t " & chr(34) & "TCu,TCu,TCu" & chr(34) & " -d"
        output(strCmd)
        WshShell.Exec(strCmd)
     End If     ÂÂ
  Next     ÂÂ
Else
  message = "Either directory: " & strCertDirPath & ", does not exists or certutil.exe was not found here: " & strCertutil & "."
  WshShell.LogEvent EVENTLOG_WARNING, "Script: " & WScript.ScriptFullName & " - version:" & SCRIPT_VERSION & vbCrLf & vbCrLf & message
End If
function output(message)
  If DEBUGGING Then
     Wscript.echo message
  End if
End function
Set WshShell  = Nothing
Set objFilesystem = Nothing
I take it this needs to be ran from "%Appdata%\mozilla\firefox\profiles" ?
Trying to figure how to run this on logged off machine and still get the certs import to work.
Posted by:
Matt5150
12 years ago
ORIGINAL: CRS162
FYI, I made a vb-script for importing the certificates. Have not tested thoroughly, seems to work. Feedback or improvements are more then welcome.
[font="courier new"]
' Syntax     : cert_import.vbs path <certutil>
' Argument(s) : path     - Path to a directory where certificates a located.
'              certutil - Path to a directory where certutil.exe resides. If not supplied we assume
'                           certutil.exe to reside in the certificate directory.
' Output     : Import certificates (*.crt) from the certificate directory into
'              the certificate store of Firefox.
'
' Note(s)    : The CERTUTIL.EXE used by this script comes from NSS Security Tools.
'              You have to compile the souce code to Windows binary to be able to use it on Windows.
'              See: http://www.mozilla.org/projects/security/pki/nss/tools/
'
' Revisions  : 0.1 - initial version
'
'
Option Explicit
On error resume next
Const DEBUGGING             = true
const SCRIPT_VERSION        = 0.1
Const EVENTLOG_WARNING      = 2
Const CERTUTIL_EXCUTABLE    = "certutil.exe"
Dim strCertDirPath, strCertutil, files, slashPosition, dotPosition, strCmd, message
Dim file, filename, filePath, fileExtension
Dim WshShell          : Set WshShell          = WScript.CreateObject("WScript.Shell")
Dim objFilesystem      : Set objFilesystem    = CreateObject("Scripting.FileSystemObject")
Dim certificates       : Set certificates     = CreateObject("Scripting.Dictionary")
Dim objCertDir
If WScript.Arguments.Count = 1 Then
  strCertDirPath   = WScript.Arguments(0)
  strCertutil      = strCertDirPath & "\" & CERTUTIL_EXCUTABLE
ElseIf WScript.Arguments.Count = 2 Then
  strCertDirPath   = WScript.Arguments(0)
  strCertutil      = WScript.Arguments(1)
Else
  Wscript.echo "Invalid syntax. Correct syntax: " & WScript.ScriptFullName & " PATH_CERTIFICATE_DIRECTORY <PATH_NSS_CERTUTIL>"
End If
If objFilesystem.FolderExists(strCertDirPath) And objFilesystem.FileExists(strCertutil) Then
  Set objCertDir = objFilesystem.GetFolder(strCertDirPath)
  Set files = objCertDir.Files
 ÂÂ
  For each file in files
     slashPosition = InStrRev(file, "\")
     dotPosition  = InStrRev(file, ".")
     fileExtension = Mid(file, dotPosition + 1)
     filename     = Mid(file, slashPosition + 1, dotPosition - slashPosition - 1)
    ÂÂ
     If LCase(fileExtension) = "crt" Then     ÂÂ
        strCmd = chr(34) & strCertutil & chr(34) &" -A -n " & chr(34) & filename & chr(34) & " -i " & chr(34) & file & chr(34) & " -t " & chr(34) & "TCu,TCu,TCu" & chr(34) & " -d"
        output(strCmd)
        WshShell.Exec(strCmd)
     End If     ÂÂ
  Next     ÂÂ
Else
  message = "Either directory: " & strCertDirPath & ", does not exists or certutil.exe was not found here: " & strCertutil & "."
  WshShell.LogEvent EVENTLOG_WARNING, "Script: " & WScript.ScriptFullName & " - version:" & SCRIPT_VERSION & vbCrLf & vbCrLf & message
End If
function output(message)
  If DEBUGGING Then
     Wscript.echo message
  End if
End function
Set WshShell  = Nothing
Set objFilesystem = Nothing
I'm trying to expand upon this to make this work on all User Profiles as well but I'm not having much luck.
I tried changing the script above to this:
Set XPProfdir="c:\Documents and settings"
Set W7Profdir=c:\Users
DIR "%W7Profdir%" /A:D /B > %Temp%\W7ProfDir.txt"
FOR /F "tokens=*" %%g in %Temp%\W7ProfDir.txt do (
CD /d "%W7Profdir%\%%g\AppData\Roaming\mozilla\firefox\profiles"
DIR /A:D /B > "%Temp%\FFProfile.txt"
Somehwhere in stacking this all up it just all falls apart. I can't get it to the point of creating FFProfile.txt
What I'm trying to do is to get it to run the certutil command for each cert, for each firefox profle from FFProfile.txt, for each Windows Profile from W7Profdir.txt and XPProf.txt, but I can't find any command line examples feeding from multiple tokens from multiple text files.
Comments:
-
Hi Matt5150. Were you able to find a solution for the certificate import? i am trying to do the same for my job. any info would help. Thanks. - 360Andy 11 years ago
Posted by:
camposhb
8 years ago
Posted by:
eranmark
12 years ago
Hi all
Tested the batch file - working. But what's next? should I put the c:\temp\certimport files as a network share and change the settings in the batch file(In order for it to work on multiple users)?
Comments:
-
Hi All,
I'm a newbee here. Can you help me in providing step by step instruction of this process? This is badly needed. :( - kikodefinecleth 11 years ago
Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.
so that the conversation will remain readable.
I've been looking into this and this script and other similar all import the certificate but I can't set the "this certificate can identify web sites" value which defeats the purpose.
Has anyone managed to do this?
Thanks
Damien - theatrebyte 11 years ago
certutil.exe -D -n "<Cert_name>" -d "%FFProfDir%\%%i" - supreet 9 years ago