Importing root certificates into Firefox and Thunderbird

Update Feb. 2012: see at the end for an alternative for new profiles.

This is ridiculously complicated and makes me wonder whether I should just drop Firefox in Windows and go back to IE.

The problem:

How to automatically pre-import your self-signed certification authority into all user profiles for Firefox and Thunderbird.

The solution:

You need the Mozilla certutil utility (not the Microsoft certutil.exe).

In Windows, you would need to compile nss tools or use some ancient hard to find Windows binary to get it. But all my user profiles are on a Samba server, so it was much easier to do it on the server, with the added benefit of having Bash and not needing to struggle with the horrible cmd.exe.

First install the tools. In Debian, it would be:

apt-get install libnss3-tools

Then adapt this long command to your paths:

find /path/to/users-profiles -name cert8.db -printf "%h\n" | \
while read dir; do \
  certutil -A -n "My Own CA" -t "C,C,C" -d "$dir" -i "/path/to/my_own_cacert.cer"; \
done

(-printf "%h\n" prints just the directory, without the file name, one per line. That is fed to the $dir variable needed in the certutil command. The -n option is a required nickname for the certificate. -t "C,C,C" is what will make you accept any certificate signed by this CA you are importing).

See also: the certutil documentation, and a better explanation of the trust arguments (-t option).

Alternative:

The above solution works to add a certifcate to an existing profile's cert8.db. To have newly created profiles include the certificate, you need to put a good cert8.db file into the Program's directory.

1. Either import your certificate(s) manually into an existing profile, or use the steps above to add the certificate(s) to a cert8.db file.
2. Copy the new cert8.db to the Firefox (or Thunderbird) program directory, into a "/defaults/profile" subdirectory. (ie. "C:\Program Files (x86)\Mozilla Firefox\defaults\profile\").

This way, newly created profiles will copy this cert8.db file instead of creating a new one from scratch.

Simple password management

To easily manage all your passwords, you don't need any freeware/shareware/crapware/malware/whateverware. If you are running Windows, all you need is 2 batch files, each containing a single line.

As a bonus, you can get some very simple security-through-obscurity by using a little known feature of the NTFS file system called "Alternate Data Streams". The security is not great, but the obscurity feels like a cool hack. And it's still better than having passwords.txt on your desktop, or Post-its on your monitor. (Of course, you can also skip the coolness and combine these handy batch files with the excellent TrueCrypt for really strong encryption at the expense of a minimum of additional hassle).

1. Create a file containing anything (or nothing). Let's call it x, and put it in our profile folder (C:\Documents adn Settings\username\)
2. Create a batch file (let's call it password-add.bat) with one line:
   @ECHO %* >> "%USERPROFILE%\x:passwords"
3. Create a second batch file (for example password.bat) also with one line :
   @FIND /I "%1" < "%USERPROFILE%\x:passwords"
4. Copy these two files to some directory in your path (like C:\Windows or C:\Windows\System32)
   

To add your new Google user name and password, open a Command Prompt window, and type:

password-add "Google: mystupidname@gmail.com pass: ul7ra-secr37"

To retrieve that password once you have forgotten it, type anything like

password Google
or
password stupid
or
password @gmail.com
etc.

To add some obscurity, call the batch files something else (and shorter so you don't have to type so much): like newp.bat and p.bat.

To add even more obscurity, copy some small .dll file in c:\Windows\System32 to a new name like msp32.dll, and in the batch files replace "%USERPROFILE%\x:passwords" with "c:\Windows\System32\msp32.dll".

To add real security, get TrueCrypt, and put the file on a TrueCrypt volume. (Don't forget to correct the 2 batch files).

Important: This only works on NTFS partitions. If you move your file to a FAT32 partition or send it by email or FTP, all your passwords are lost forever. If your backups are done to an external FAT32 disk, you won't have a backup either. You can move the file around as much as want, providing that it always stays on NTFS partitions. If you copy over a network, the server also needs to be Windows (not Samba).