Mozilla, SSL, and NSS


If you want to manage SSL certificates inside Mozilla software in a domain, then I’m just sorry.

Install Mozilla’s NSS certutil

Mozilla develops the NSS project which includes certutil to deal with the cert8.db file (which contains the CA information and is stored in your profile).

Under Debian/Ubuntu

  1. aptitude install libnss3-tools
  2. You can now call certutil to modify cert8.db.

Under Windows

Pahaha you want to do this under Windows, well Mozilla fucking hates your guts and wants you to die.

(Note: There is a certutil.exe that comes with Windows; it’s a totally different piece of software and isn’t what we need.)

From the Mozilla page, you can download only the source code from the most recent version and build it yourself. If you wanna do this (on Windows? hope u got a dev env on ther bro), I found some simple instructions on the Web, but I haven’t done it myself to know how well these instructions work.

You might follow this hilarious set of instructions I found on a mailing list, but that would net you a copy from 2005. Here’s an even more hilarious set of instructions:

  • Download an NSS binary. The most recent version (as of the time of this writing) doesn’t have any binary downloads. Try this old thing from 2010
  • Unzip it.
  • See the different bin/, lib/, and include/ directories? Move all of the files from lib/ and include/ into bin/! (Am I fucking kidding? No, I am not fucking kidding.)


Setting up the domain environment

You need to put the NSS binaries and the certificates you want to import somewhere on the network where everyone can access them:

  • \\fileserver\Sysadmin\nss
  • \\fileserver\Sysadmin\ca.pem

Then you need to create an SSL cert database with your certificate inside it. I made a batch file for this:

@echo off
setlocal enableextensions

:: these SHOULD NOT have spaces in them, or certutil will throw a fit!
:: (wrapping paths with quotes also causes certutil to fail, YAY.)
set mozcertutil=\\fileserver\Sysadmin\nss\certutil.exe
set newprofile=\\fileserver\Sysadmin\default-mozilla-profile\
set cafile=\\fileserver\Sysadmin\ca.pem
set caname=My Certificate Authority

md "%newprofile%"
"%mozcertutil%" -A -n "%caname%" -t "TCu,TCu,TCu" -i "%cafile%" -d %newprofile%

Creating the default profile

When a user logs in who hasn’t used Firefox before, it copies a default profile from C:\Program Files\Mozilla Firefox\Defaults\Profile. (This is Program Files (x86) on 64 bit Windows. Thunderbird does a similar thing from its install directory.) By default, this directory does not exist, so we want to create it and place a certificate database in it that already trusts the site CA.

  • It is OK to create C:\Program Files\Firefox\Defaults\Profile even if FF is not installed (I tested this 20120516).
  • This could be put in a GPO that gets applied once per computer

I created a batch file to do this as well:

@echo off
setlocal enableextensions

:: these SHOULD NOT have spaces in them, or certutil will throw a fit!
:: (wrapping paths with quotes also causes certutil to fail, YAY.)
set newprofile=\\fileserver\Sysadmin\default-mozilla-profile\

set mozprogramfiles=%programfiles%
if exist "%programfiles(x86)%" set mozprogramfiles=%programfiles(x86)%

set ffdefprof=%mozprogramfiles%\Mozilla Firefox\Defaults\Profile
set tbdefprof=%mozprogramfiles%\Mozilla Thunderbird\Defaults\Profile

:: this is Ok to do even if FF/TB isn't installed
md "%ffdefprof%"
md "%tbdefprof%"

copy "%newprofile%\cert8.db" "%ffdefprof%" /Y
copy "%newprofile%\cert8.db" "%tbdefprof%" /Y

Adding the certificate to any existing profiles

When a user logs in who has already used Firefox, since there’s already a profile in %APPDATA%\Mozilla\Firefox\Profiles, it will not receive the CA from the default profile. We have to use certutil to add the certificate directly to the user’s profile.

(Note that this is probably not necessary if you have created the default profile by GPO before any user has run Firefox, like you might when creating a new domain from scratch.)

(Note also that Thunderbird’s location is %APPDATA%\Thunderbird\Profiles, i.e. it isn’t created inside the Mozilla folder!)

  • This should be done once per user per machine. I’m not sure if it is possible to do this though?
  • There is no harm in adding the same certificate to the NSS store more than once - it will only get recorded in the database one time.
  • Therefore, you could put this in a startup script.

I created a batch file for this too:

@echo off

set mozcertutil=\\fileserver\Sysadmin\nss\certutil.exe
set cafile=\\fileserver\Sysadmin\ca.pem
set caname=My Certificate Authority

:: NOTE: appdata\mozilla\firefox but appdata\thunderbird.
for /d %%d in ("%appdata%\mozilla\firefox\profiles\*" "%appdata%\thunderbird\profiles\*") do (
    "%mozcertutil%" -A -n "%caname%" -t "TCu,TCu,TCu" -i "%cafile%" -d "%%d"