firefox - Instalar mediante programación el certificado en Mozilla

Aquí hay una forma alternativa que no anula los certificados existentes: [bash fragment for linux systems]

certificateFile="MyCa.cert.pem" certificateName="MyCA Name" for certDB in $(find ~/.mozilla* ~/.thunderbird -name "cert8.db") do certDir=$(dirname ${certDB}); #log "mozilla certificate" "install ''${certificateName}'' in ${certDir}" certutil -A -n "${certificateName}" -t "TCu,Cuw,Tuw" -i ${certificateFile} -d ${certDir} done

Puede encontrar certutil en el paquete libnss3-tools (debian / ubuntu).

Fuente:
http://web.archive.org/web/20150622023251/http://www.computer42.org:80/xwiki-static/exported/DevNotes/xwiki.DevNotes.Firefox.html

Ver también:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil

En Windows 7 con Firefox 10, el archivo cert8.db se almacena en %userprofile%/AppData/Roaming/Mozilla/Firefox/Profiles/########.default/cert8.db . Si usted es un administrador, probablemente pueda escribir una aplicación WMI simple para copiar el archivo a la carpeta respectiva del Usuario.

Además, una solución que funcionó para mí desde http://www.appdeploy.com/messageboards/tm.asp?m=52532&mpage=1&key=&#52532

1. CERTUTIL.EXE del archivo zip de NSS ( http://www.mozilla.org/projects/security/pki/nss/tools/ ) a C:/Temp/CertImport (también coloqué los certificados que deseo importar allí)

2. Copié todos los dll desde el archivo zip NSS a C/:Windows/System32

3. Creó un archivo BAT en %Appdata%/mozilla/firefox/profiles con este script ...

   Set FFProfdir=%Appdata%/mozilla/firefox/profiles Set CERTDIR=C:/Temp/CertImport DIR /A:D /B > "%Temp%/FFProfile.txt" FOR /F "tokens=*" %%i in (%Temp%/FFProfile.txt) do ( CD /d "%FFProfDir%/%%i" COPY cert8.db cert8.db.orig /y For %%x in ("%CertDir%/Cert1.crt") do "%Certdir%/certutil.exe" -A -n "Cert1" -i "%%x" -t "TCu,TCu,TCu" -d . For %%x in ("%CertDir%/Cert2.crt") do "%Certdir%/certutil.exe" -A -n "Cert2" -i "%%x" -t "TCu,TCu,TCu" -d . ) DEL /f /q "%Temp%/FFProfile.txt"

4. Ejecuta el archivo BAT con buenos resultados.

Firefox ahora (desde 58) usa una base de datos SQLite cert9.db en lugar de legacy cert8.db. He corregido una solución presentada aquí para que funcione con las nuevas versiones de Firefox:

certificateFile="MyCa.cert.pem" certificateName="MyCA Name" for certDB in $(find ~/.mozilla* ~/.thunderbird -name "cert9.db") do certDir=$(dirname ${certDB}); #log "mozilla certificate" "install ''${certificateName}'' in ${certDir}" certutil -A -n "${certificateName}" -t "TCu,Cuw,Tuw" -i ${certificateFile} -d sql:${certDir} done

Intentaba lograr lo mismo en Powershell y escribí un script para realizar varias funciones que se pueden seleccionar interactivamente. Por supuesto, es bastante fácil modificar el script para automatizar ciertas cosas en lugar de proporcionar opciones.

Soy un chico de Infraestructura en lugar de codificador / programador, así que me disculpo si es un poco engorroso (¡pero funciona!).

Guarde lo siguiente como una PS1:

################################################################################################## # # NAME: RegisterFireFoxCertificates.ps1 # # AUTHOR: Andy Pyne # # DATE : 22.07.2015 # # COMMENT: To provide options for listing, adding, deleting and purging # FireFox Certificates using Mozilla''s NSS Util CertUtil # Source: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil # # NOTE: You need a copy of the NSS Util CertUtil and it''s associated dll''s # The specific files I used were: # # certutil.exe, fort32.dll, freebl3.dll, libnspr4.dll, libplc4.dll, libplds4.dll, nspr4.dll, # nss3.dll, nssckbi.dll, nssdbm3.dll, nssutil3.dll, plc4.dll, plds4.dll, smime3.dll, # softokn3.dll, sqlite3.dll, ssl3.dll, swft32.dll # ################################################################################################## ################################################################################################## # Setup a few parameters $ErrorActionPreference = "Silentlycontinue" $ExecutionPolicyOriginal = Get-ExecutionPolicy $FireFoxExecutable = "C:/Program Files (x86)/Mozilla Firefox/Firefox.exe" # This is the Firefox certificate database $CertDB = "Cert8.db" # The Certificate Nickname is a name you want to see on the certificates that you''ve imported in - so you know they were imported by this process # However, when you look at the certificates in Firefox, they will be listed under whatever the certificate name was when it was generated # So if your certificate is listed as ''Company123'' when imported, it will still be called that as the Common Name, but when you click to view # it, you will see that the first item in the Certificate Fields is what you ''nicknamed'' it. $CertificateNickname = "MyCompanyName FF AutoImport Cert" # The Legacy Certificates are specific/explicit certificates which you wish to delete (The ''purge'' option later in the script references these items) $LegacyCertificates = @("OldCertificate1", "Company Cert XYZ", "Previous Company name", "Unwanted Certificate - 7", "123APTEST123") # This is the list of databases / Firefox profiles on the machine $FFDBList = @() # Making sure our temporary directory is empty $FFCertLocationLocal = "C:/FFCertTemp" # The remote location of the certificates and $FFCertLocationRemote = "//myUNC/NETLOGON/FireFoxCert/" # The local CertUtil executable (this is copied from the remote location above) $FFCertTool = "$FFCertLocationLocal/CertUtil.exe" # Making sure our temporary directory is empty Remove-Item $FFCertLocationLocal -Recurse New-Item -ItemType Directory -Path $FFCertLocationLocal ################################################################################################## ################################################################################################## Clear # We''re going to get a list of the Firefox processes on the machine that are open and close them # Otherwise the add/delete parts might not be successful with Firefox still running $FireFoxRunningProcessesList = Get-Process | Where-Object {$_.Name -Match "FireFox"} | Select-Object ProcessName,Id | Format-Table -AutoSize $FireFoxRunningProcesses = Get-Process | Where-Object {$_.Name -Match "FireFox"} | Select-Object -ExpandProperty Id If (!$FireFoxRunningProcesses) {} Else { Write-Host "The following processes will be stopped to perform certificate manipulation:" $FireFoxRunningProcessesList $TerminateProcessQuestion = Read-Host "To auto-terminate (ungracefully!) processes, press ''Y'', otherwise, press any other key" If ($TerminateProcessQuestion -ne ''y'') { Clear Write-Host "Cannot continue as Firefox process is still running, ending script ..." Exit} Else {ForEach ($FireFoxRunningProcess in $FireFoxRunningProcesses) { [Int]$FireFoxRunningProcess = [Convert]::ToInt32($FireFoxRunningProcess, 10) Stop-Process -Id $FireFoxRunningProcess -Force}} } ################################################################################################## ################################################################################################## # The remote files (certificates and the NSS Tools CertUtil files are copied locally) $FFCertificateListItemRemote = Get-ChildItem $FFCertLocationRemote -Recurse -Include *.cer,*.dll,certutil.exe ForEach ($FFCertificateItemRemote in $FFCertificateListItemRemote) { Copy-Item $FFCertificateItemRemote.FullName -Destination $FFCertLocationLocal} # Get a list of the local certificates $FFCertificateListLocal = Get-ChildItem $FFCertLocationLocal -Recurse -filter *.cer Clear Set-ExecutionPolicy "Unrestricted" # Find all Firefox profiles and create an array called FFDBList # Of course, you''ll only be able to get to the ones your permissions allow $LocalProfiles = Get-ChildItem "C:/Users" | Select-Object -ExpandProperty FullName ForEach ($LocalProfile in $LocalProfiles) { $FFProfile = Get-ChildItem "$LocalProfile/AppData/Roaming/Mozilla/Firefox/Profiles" | Select-Object -ExpandProperty FullName If (!$FFProfile) {Write-Host "There is no Firefox Profile for $LocalProfile"} ELSE {$FFDBList += $FFProfile} } Clear Write-Host "#################################" Write-Host "The List of FireFox Profiles is:" Write-Host "#################################" $FFDBList PAUSE ################################################################################################## ################################################################################################## # Setup 4x functions (List, Delete, Add and Purge) # # - List will simply list certificates from the Firefox profiles # # - Delete will delete the certificates the same as the certificates you''re going to add back in # So for example, if you have 2x certificates copied earlier for import, ''CompanyA'' and ''CompanyZ'' # then you can delete certificates with these names beforehand. This will prevent the # certificates you want to import being skipped/duplicated because they already exist # # - Add will simply add the list of certificates you''ve copied locally # # - Purge will allow you to delete ''other'' certificates that you''ve manually listed in the # variable ''$LegacyCertificates'' at the top of the script # Each of the functions perform the same 4x basic steps # # 1) Do the following 3x things for each of the Firefox profiles # 2) Do the 2x following things for each of the certificates # 3) Generate an expression using parameters based on the certificate nickname specified # earlier, and the profile and certificate informaiton # 4) Invoke the expression Function ListCertificates { Write-Host "#############################" ForEach ($FFDBItem in $FFDBList) { $FFCertificateListItemFull = $FFCertificateListItem.FullName Write-Host "Listing Certificates for $FFDBitem" $ExpressionToListCerts = "$FFCertTool -L -d `"$FFDBItem`"" Invoke-Expression $ExpressionToListCerts } PAUSE} Function DeleteOldCertificates { Write-Host "#############################" ForEach ($FFDBItem in $FFDBList) { ForEach ($FFCertificateListItem in $FFCertificateListLocal) { $FFCertificateListItemFull = $FFCertificateListItem.FullName Write-Host "Deleting Cert $FFCertificateListItem for $FFDBitem" $ExpressionToDeleteCerts = "$FFCertTool -D -n `"$CertificateNickname`" -d `"$FFDBItem`"" Invoke-Expression $ExpressionToDeleteCerts }} PAUSE} Function AddCertificates { Write-Host "#############################" ForEach ($FFDBItem in $FFDBList) { ForEach ($FFCertificateListItem in $FFCertificateListLocal) { $FFCertificateListItemFull = $FFCertificateListItem.FullName Write-Host "Adding $FFCertificateListItem Cert for $FFDBitem" $ExpressionToAddCerts = "$FFCertTool -A -n `"$CertificateNickname`" -t `"CT,C,C`" -d `"$FFDBItem`" -i `"$FFCertificateListItemFull`"" Write-Host $ExpressionToAddCerts Invoke-Expression $ExpressionToAddCerts #PAUSE }} PAUSE} Function PurgeLegacyCertificates { Write-Host "#############################" ForEach ($FFDBItem in $FFDBList) { ForEach ($LegacyCertificateItem in $LegacyCertificates) { $LegacyCertificateItemFull = $LegacyCertificateItem.FullName Write-Host "Purging Old Certs ($LegacyCertificateItem) for $FFDBitem" #$ExpressionToDeleteLegacyCerts = "$FFCertTool -D -n `"$OldCertificate`" -d `"$FFDBItem`"" $ExpressionToDeleteLegacyCerts = "$FFCertTool -D -n `"$LegacyCertificateItem`" -d `"$FFDBItem`"" ForEach ($LegacyCertificate in $LegacyCertificates) { Invoke-Expression $ExpressionToDeleteLegacyCerts} }} PAUSE} ################################################################################################## ################################################################################################## # Creating a few options to invoke the various functions created above $CertificateAction = "" Function CertificateActionSelection { Do { Clear $CertificateAction = Read-Host "Would you like to [L]ist all certificates [D]elete all old certificates, [A]dd new certificates, or [P]urge legacy certificates?" } Until ($CertificateAction -eq "L" -or $CertificateAction -eq "D" -or $CertificateAction -eq "A" -or $CertificateAction -eq "P" ) If ($CertificateAction -eq "L") {ListCertificates} If ($CertificateAction -eq "D") {DeleteOldCertificates} If ($CertificateAction -eq "A") {AddCertificates} If ($CertificateAction -eq "P") {PurgeLegacyCertificates} } Do { Clear $MoreCertificateActions = Read-Host "Would you like to [L]aunch Firefox (as $env:USERNAME), take a [C]ertificate action, or [Q]uit?" If ($MoreCertificateActions -eq "L") { Invoke-Item $FireFoxExecutable Exit} If ($MoreCertificateActions -eq "C") {CertificateActionSelection} } Until ($MoreCertificateActions -eq "Q") Remove-Item $FFCertLocationLocal -Recurse Set-ExecutionPolicy $ExecutionPolicyOriginal Exit

La forma más fácil es importar el certificado en una muestra de perfil de firefox y luego copiar el cert8.db a los usuarios que desee equipar con el certificado.

Primero importe el certificado a mano en el perfil de Firefox del usuario de muestra. Luego copia

• /home/${USER}/.mozilla/firefox/${randomalphanum}.default/cert8.db (Linux / Unix)

• %userprofile%/Application Data/Mozilla/Firefox/Profiles/%randomalphanum%.default/cert8.db (Windows)

en los usuarios de los perfiles de Firefox. Eso es. Si quiere asegurarse de que los nuevos usuarios obtengan el certificado automáticamente, copie cert8.db en:

• /etc/firefox-3.0/profile (Linux / Unix)

• %programfiles%/firefox-installation-folder/defaults/profile (Windows)

Solo quería agregar un hilo viejo para ayudar a otras personas. Necesitaba agregar programáticamente un certificado a la base de datos de Firefox usando un GPO, así fue como lo hice para Windows

1, Primero descarga y descomprime el NSS nss-3.13.5-nspr-4.9.1-compiled-x86.zip precompilado

2, agregue el certificado manualmente a las opciones de Firefox -> Avanzado - Certificados -> Autoridades -> Importar

3, del paquete NSS descargado, ejecute

certutil -L -d c:/users/[username]/appdata/roaming/mozilla/firefox/[profile].default

4, la consulta anterior le mostrará el nombre del certificado y los atributos de confianza, por ejemplo,

my company Ltd CT,C,C

5, elimine el certificado en el paso 2. Opciones -> Avanzado - Certificados -> Autoridades -> Eliminar

6, cree un script powershell usando la información del paso 4 de la siguiente manera. Este script obtendrá la ruta del perfil de los usuarios y agregará el certificado. Esto solo funciona si el usuario tiene un perfil de Firefox (necesita de alguna manera recuperar el nombre del perfil de la carpeta Firefox de los usuarios)

#Script adds Radius Certificate to independent Firefox certificate store since the browser does not use the Windows built in certificate store #Get Firefox profile cert8.db file from users windows profile path $ProfilePath = "C:/Users/" + $env:username + "/AppData/Roaming/Mozilla/Firefox/Profiles/" $ProfilePath = $ProfilePath + (Get-ChildItem $ProfilePath | ForEach-Object { $_.Name }).ToString() #Update firefox cert8.db file with Radius Certificate certutil -A -n "UK my company" -t "CT,C,C" -i CertNameToAdd.crt -d $ProfilePath

7, crear GPO como una configuración de usuario para ejecutar el script de PowerShell

Espero que eso ayude a salvarle el tiempo a alguien

Tuve un problema similar en un sitio de cliente donde el cliente requirió que se instalara automáticamente un certificado de autoridad para más de 2000 usuarios de Windows.

Creé la siguiente secuencia de comandos .vbs para importar el certificado en la tienda de certificados de Firefox actual de los usuarios que iniciaron sesión.

La secuencia de comandos debe colocarse en el directorio que contiene una copia de trabajo de certutil.exe (la versión nss) pero determina programáticamente la ubicación de los perfiles de Firefox.

Option Explicit On error resume next Const DEBUGGING = true const SCRIPT_VERSION = 0.1 Const EVENTLOG_WARNING = 2 Const CERTUTIL_EXCUTABLE = "certutil.exe" Const ForReading = 1 Dim strCertDirPath, strCertutil, files, slashPosition, dotPosition, strCmd, message Dim file, filename, filePath, fileExtension Dim WshShell : Set WshShell = WScript.CreateObject("WScript.Shell") Dim objFilesystem : Set objFilesystem = CreateObject("Scripting.FileSystemObject") Dim certificates : Set certificates = CreateObject("Scripting.Dictionary") Dim objCertDir Dim UserFirefoxDBDir Dim UserFirefoxDir Dim vAPPDATA Dim objINIFile Dim strNextLine,Tmppath,intLineFinder, NickName vAPPDATA = WshShell.ExpandEnvironmentStrings("%APPDATA%") strCertDirPath = WshShell.CurrentDirectory strCertutil = strCertDirPath & "/" & CERTUTIL_EXCUTABLE UserFirefoxDir = vAPPDATA & "/Mozilla/Firefox" NickName = "Websense Proxy Cert" Set objINIFile = objFilesystem.OpenTextFile( UserFireFoxDir & "/profiles.ini", ForReading) Do Until objINIFile.AtEndOfStream strNextLine = objINIFile.Readline intLineFinder = InStr(strNextLine, "Path=") If intLineFinder <> 0 Then Tmppath = Split(strNextLine,"=") UserFirefoxDBDir = UserFirefoxDir & "/" & replace(Tmppath(1),"/","/") End If Loop objINIFile.Close ''output UserFirefoxDBDir If objFilesystem.FolderExists(strCertDirPath) And objFilesystem.FileExists(strCertutil) Then Set objCertDir = objFilesystem.GetFolder(strCertDirPath) Set files = objCertDir.Files For each file in files slashPosition = InStrRev(file, "/") dotPosition = InStrRev(file, ".") fileExtension = Mid(file, dotPosition + 1) filename = Mid(file, slashPosition + 1, dotPosition - slashPosition - 1) If LCase(fileExtension) = "cer" Then strCmd = chr(34) & strCertutil & chr(34) &" -A -a -n " & chr(34) & NickName & chr(34) & " -i " & chr(34) & file & chr(34) & " -t " & chr(34) & "TCu,TCu,TCu" & chr(34) & " -d " & chr(34) & UserFirefoxDBDir & chr(34) ''output(strCmd) WshShell.Exec(strCmd) End If Next WshShell.LogEvent EVENTLOG_WARNING, "Script: " & WScript.ScriptFullName & " - version:" & SCRIPT_VERSION & vbCrLf & vbCrLf & message End If function output(message) If DEBUGGING Then Wscript.echo message End if End function Set WshShell = Nothing Set objFilesystem = Nothing