Mozilla, SSL, and NSS
If you want to manage SSL certificates inside Mozilla software in a domain, then I’m just sorry.
Install Mozilla’s NSS certutil
aptitude install libnss3-tools
- You can now call
Pahaha you want to do this under Windows, well Mozilla fucking hates your guts and wants you to die.
(Note: There is a
certutil.exe that comes with Windows; it’s a totally different piece of software and isn’t what we need.)
From the Mozilla page, you can download only the source code from the most recent version and build it yourself. If you wanna do this (on Windows? hope u got a dev env on ther bro), I found some simple instructions on the Web, but I haven’t done it myself to know how well these instructions work.
You might follow this hilarious set of instructions I found on a mailing list, but that would net you a copy from 2005. Here’s an even more hilarious set of instructions:
- Download an NSS binary. The most recent version (as of the time of this writing) doesn’t have any binary downloads. Try this old thing from 2010
- Unzip it.
- See the different bin/, lib/, and include/ directories? Move all of the files from lib/ and include/ into bin/! (Am I fucking kidding? No, I am not fucking kidding.)
Setting up the domain environment
You need to put the NSS binaries and the certificates you want to import somewhere on the network where everyone can access them:
Then you need to create an SSL cert database with your certificate inside it. I made a batch file for this:
@echo off setlocal enableextensions :: these SHOULD NOT have spaces in them, or certutil will throw a fit! :: (wrapping paths with quotes also causes certutil to fail, YAY.) set mozcertutil=\\fileserver\Sysadmin\nss\certutil.exe set newprofile=\\fileserver\Sysadmin\default-mozilla-profile\ set cafile=\\fileserver\Sysadmin\ca.pem set caname=My Certificate Authority md "%newprofile%" "%mozcertutil%" -A -n "%caname%" -t "TCu,TCu,TCu" -i "%cafile%" -d %newprofile%
Creating the default profile
When a user logs in who hasn’t used Firefox before, it copies a default profile from
C:\Program Files\Mozilla Firefox\Defaults\Profile. (This is
Program Files (x86) on 64 bit Windows. Thunderbird does a similar thing from its install directory.) By default, this directory does not exist, so we want to create it and place a certificate database in it that already trusts the site CA.
- It is OK to create
C:\Program Files\Firefox\Defaults\Profileeven if FF is not installed (I tested this 20120516).
- This could be put in a GPO that gets applied once per computer
I created a batch file to do this as well:
@echo off setlocal enableextensions :: these SHOULD NOT have spaces in them, or certutil will throw a fit! :: (wrapping paths with quotes also causes certutil to fail, YAY.) set newprofile=\\fileserver\Sysadmin\default-mozilla-profile\ set mozprogramfiles=%programfiles% if exist "%programfiles(x86)%" set mozprogramfiles=%programfiles(x86)% set ffdefprof=%mozprogramfiles%\Mozilla Firefox\Defaults\Profile set tbdefprof=%mozprogramfiles%\Mozilla Thunderbird\Defaults\Profile :: this is Ok to do even if FF/TB isn't installed md "%ffdefprof%" md "%tbdefprof%" copy "%newprofile%\cert8.db" "%ffdefprof%" /Y copy "%newprofile%\cert8.db" "%tbdefprof%" /Y
Adding the certificate to any existing profiles
When a user logs in who has already used Firefox, since there’s already a profile in
%APPDATA%\Mozilla\Firefox\Profiles, it will not receive the CA from the default profile. We have to use
certutil to add the certificate directly to the user’s profile.
(Note that this is probably not necessary if you have created the default profile by GPO before any user has run Firefox, like you might when creating a new domain from scratch.)
(Note also that Thunderbird’s location is
%APPDATA%\Thunderbird\Profiles, i.e. it isn’t created inside the
- This should be done once per user per machine. I’m not sure if it is possible to do this though?
- There is no harm in adding the same certificate to the NSS store more than once - it will only get recorded in the database one time.
- Therefore, you could put this in a startup script.
I created a batch file for this too:
@echo off set mozcertutil=\\fileserver\Sysadmin\nss\certutil.exe set cafile=\\fileserver\Sysadmin\ca.pem set caname=My Certificate Authority :: NOTE: appdata\mozilla\firefox but appdata\thunderbird. for /d %%d in ("%appdata%\mozilla\firefox\profiles\*" "%appdata%\thunderbird\profiles\*") do ( "%mozcertutil%" -A -n "%caname%" -t "TCu,TCu,TCu" -i "%cafile%" -d "%%d" )