Importing root certificates into Firefox and Thunderbird
Update Feb. 2012: see at the end for an alternative for new profiles.
This is ridiculously complicated and makes me wonder whether I should just drop Firefox in Windows and go back to IE.
The problem:
How to automatically pre-import your self-signed certification authority into all user profiles for Firefox and Thunderbird.
The solution:
You need the Mozilla certutil
utility (not the Microsoft certutil.exe).
In Windows, you would need to compile nss tools or use some ancient hard to find Windows binary to get it. But all my user profiles are on a Samba server, so it was much easier to do it on the server, with the added benefit of having Bash and not needing to struggle with the horrible cmd.exe.
First install the tools. In Debian, it would be:
apt-get install libnss3-tools
Then adapt this long command to your paths:
find /path/to/users-profiles -name cert8.db -printf "%h\n" | \ while read dir; do \ certutil -A -n "My Own CA" -t "C,C,C" -d "$dir" -i "/path/to/my_own_cacert.cer"; \ done
(-printf "%h\n"
prints just the directory, without the file name, one per line. That is fed to the $dir
variable needed in the certutil
command. The -n
option is a required nickname for the certificate. -t "C,C,C"
is what will make you accept any certificate signed by this CA you are importing).
See also: the certutil documentation, and a better explanation of the trust arguments (-t option).
Alternative:
The above solution works to add a certifcate to an existing profile's cert8.db
. To have newly created profiles include the certificate, you need to put a good cert8.db file into the Program's directory.
- Either import your certificate(s) manually into an existing profile, or use the steps above to add the certificate(s) to a
cert8.db
file. - Copy the new
cert8.db
to the Firefox (or Thunderbird) program directory, into a "/defaults/profile
" subdirectory. (ie. "C:\Program Files (x86)\Mozilla Firefox\defaults\profile\
").
This way, newly created profiles will copy this cert8.db file instead of creating a new one from scratch.
Labels: ch, code, computers, debian, en, firefox, linux, oneliners, sysadmin, thunderbird, ubuntu, win7, windows