Add certificate authorities system-wide on Firefox

I want to add some root CAs that doesn't come with the default firefox on Ubuntu, but I don't know how.

I tried adding them to the local certificates with certutil, but it didn't work. It messed up my certificates database.

$ certutil -A -d .mozilla/firefox/ -i /usr/local/share/ca-certificates/FNMT_ACRAIZ.crt -n "Certificado Raiz FNMT" -t "TCu,Cuw,Tuw"

and then

$ certutil -L -d .mozilla/firefox/
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
Go Daddy Secure Certification Authority ,,
VeriSign Class 3 Secure Server CA - G3 ,,
VeriSign Class 3 Extended Validation SSL CA ,,
DigiCert High Assurance CA-3 ,,
GlobalSign Domain Validation CA - G2 ,,
GeoTrust SSL CA ,,
StartCom Class 2 Primary Intermediate Server CA ,,
Google Internet Authority ,,
Certificado Raiz FNMT CT,C,c
USERTrust Legacy Secure Server CA ,,
HP Jetdirect 2B0EAD20 ,,
Akamai Subordinate CA 3 ,,
VeriSign, Inc. ,,
Thawte SGC CA ,,
VeriSign Class 3 Secure Server CA - G2 ,,

The certificate won't show up on Firefox. I tried this several times, even deleting the profile, and it showed up once on the Firefox interface, but completely empty.

Anyways, that's only for a user, and I want to add them system-wide. Is there a system-wide database I can modify? How?

If there is no system-wide database I can modify, I can rely on a X start script (as /etc/X11/Xsession.d/ ones, or a script called by the xdg autostart system on /etc/xdg/autostart/) to modify the user profile at session start, but I need a solution that works. I can't even load certificates on the user profiles from the command line now!

6

9 Answers

The problem here is that Firefox does not have a 'central' location where it looks for certificates. It just looks into the current profile. That's why modifying /usr/share/ca-certificates or other similar directories won't work with Firefox. This is something that has been requested for years; see issues 620373, 449498 and 454036 (and probably there are many others).

So you are left with just two kind of solutions: either modify each profile, or modify the behaviour of Firefox. I know this is not what you are looking for, but there are no ways because Firefox only looks at users' profiles.

Having said that, the solution I would choose is using hard or symbolic links, specifically I'd go with hardlinks. This solution is surely the easiest and probably the better, though I don't have enough information to judge.

What you have to do is basically removing each cert8.db and key3.db files for each profile and replace them with links to the "most complete" cert8.db and key3.db. If you go with hardlinks, the original cert8.db and key3.db will be indistinguishable from the new ones.

Remember to adjust permissions to fit your needs. Most likely, you will need to chmod a+rw so that everybody will be able to add/remove a certificate. If you want only certain users to be able to add/remove certificates, you can create a group, assign the two databases to that group and give +w permission just to the group.

11

The easiest way is to import the certificate into a sample firefox-profile and then copy the cert8.db to the users you want equip with the certificate.

First import the certificate by hand into the firefox profile of the sample-user. Then copy

/home/${USER}/.mozilla/firefox/${randomalphanum}.default/cert8.db

into the users firefox-profiles. That's it. If you want to make sure, that new users get the certificate automatically, copy cert8.db to:

/etc/firefox-3.0/profile

Here is an alternative way that doesn't override the existing certificates: [bash fragment for linux systems]

certificateFile="MyCa.cert.pem"
certificateName="MyCA Name"
for certDB in $(find ~/.mozilla* ~/.thunderbird -name "cert8.db")
do certDir=$(dirname ${certDB}); #log "mozilla certificate" "install '${certificateName}' in ${certDir}" certutil -A -n "${certificateName}" -t "TCu,Cuw,Tuw" -i ${certificateFile} -d ${certDir}
done

You may find certutil in the libnss3-tools package (debian/ubuntu).

See also: Programmatic import of CA Certificate

Source: Programmatically Install Certificate into Mozilla

1

Contrary to popular belief, you can get Firefox to look at the system certificates instead its own hard-coded set.

To do this, you will want to use a package called p11-kit. p11-kit provides a drop-in replacement for libnssckbi.so, the shared library that contains the hardcoded set of certificates. The p11-kit version instead reads the certificates from the system certificate store.

Since Firefox ships with its own version of libnssckbi.so, you'll need to track it down and replace it instead of the version provided in libnss3:

sudo mv /usr/lib/firefox/libnssckbi.so /usr/lib/firefox/libnssckbi.so.bak
sudo ln -s /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so /usr/lib/firefox/libnssckbi.so

Next, delete the ~/.pki directory to get Firefox to refresh its certificate database (causing it to pull in the system certs) upon restarting Firefox. Note: this will delete any existing certificates in the store, so if have custom ones that you added manually, you might want to back up that folder and then re-import them.

3

Found this solution to add certificates to firefox on ubuntu :

Simply need to add this file to :

/usr/lib/firefox/distribution/
touch policies.json

In policies.json add:

{
"policies": {
"Certificates": { "ImportEnterpriseRoots": true, "Install": [ "somecert1.crt", "usr/local/share/ca-certificates/somecert1.crt" ] } }
}

The install part is first the name of the cert and then the path. And restart firefox. If something doesn't work try resetting firefox as if you have set something before it can stuck it.

This method works good without certutil.

One of the features of the CCK Wizard Firefox add-on is importing CA certs. I use this add-on to create a custom add-on that includes a company CA Cert. I then package the custom xpi in a .deb on the internal repository that all the workstations get updates from.

CCK Wizard

EDIT: In order to package the xpi for Ubuntu, you need to create a package that includes the directory /usr/lib/firefox-addons/extensions/[addon-name@servername] and unzip the entire contents of the xpi into this directory. For instance if you name your addon foobarbaz and the server you have it set to update from (if you were to enable that function) is intranet.example.com, then the directory would be . I never enable the auto update, but instead update the deb in the repo.

1

Firefox works after a clean installation. If certificate database in cert8.db is deleted, it is regenerated on next Firefox start. This strongly suggests that there is a system-wide default storage of CA certs.

Firefox's source code shows that built-in CA certs are in fact hard-coded into firefox executable. They reside in security/nss/lib/ckfw/builtins/certdata.txt

So there is no way to install a certificate system-wide. Beware that patching source code may bring up issues with intellectual property rights.

I am using a "User Environment Virtualization" (UEV) application that does this for my users, but you can do this with logon scripts in Windows clients just the same. I won't post all of the code to dynamically find the %APPDATA%\Mozilla\Firefox\%PROFILE% path, but when you do find it, you can import the scripts using some basic commands. I am basically reading the Firefox profiles.ini file to determine the path to the Firefox profile/cert8.db.

You may want to look at using the certutil.exe application.

You can run logon scripts for users that automatically imports the trusted certs from a central location into the Firefox of all users on the system.

Here is the "core" of my certificate import vb script:

If Instr(strLine,"Path=Profiles/") Then arrLine = Split(strLine, "/") strProfile = strAppData & "\Mozilla\Firefox\Profiles\" & arrLine(1) strCertDB = strProfile & "\cert8.db" 'Verify the DB exists, if not move to the next entry If objFSO.FileExists(strCertDB) Then 'Run certutil command on this database strCertCommand1 = "\\SERVERNAME\SHARENAME$\certs\certutil\certutil.exe -A " &_ "-n MYCA -t ""CT,C,C"" -d " & strProfile & " -i \\SERVERNAME\SHARENAME$\certs\MYCA_Root.cer" strCertCommand2 = "\\SERVERNAME\SHARENAME$\certs\certutil\certutil.exe -A " &_ "-n MYSECONDCA -t ""CT,C,C"" -d " & strProfile & " -i \\SERVERNAME\SHARENAME$\certs\SecondCA_Root.cer" strCertCommand3 = "\\SERVERNAME\SHARENAME$\certs\certutil\certutil.exe -A " &_ "-n MYTHIRDCA -t ""CT,C,C"" -d " & strProfile & " -i \\SERVERNAME\SHARENAME$\certs\ThirdCA_Root.cer" 'Run the import commands for this Firefox profile objShell.Run("%comspec% /c " & strCertCommand1),0,TRUE objShell.Run("%comspec% /c " & strCertCommand2),0,TRUE objShell.Run("%comspec% /c " & strCertCommand3),0,TRUE

I found out that most of the time and by default if not configured otherwise Firefox uses legacy security databases (cert8.db, key3.db, and secmod.db) that means you will need to use a different command line to inject the certificate into the correct database that Firefox use. (see more from the man of certutil)

so if your system uses the default data base the command should go like this: (dbm)

certutil -A -n "Description Name" -t "CT,C,C" -d dbm:/home/<username>/.mozilla/firefox/<default folder>/ -i certificate.crt

otherwise it should be like this: (sql)

certutil -A -n "Description Name" -t "CT,C,C" -d sql:/home/<username>/.mozilla/firefox/<default folder>/ -i certificate.crt

from man certutil:

-d [prefix]directory
Specify the database directory containing the certificate and key
database files.
certutil supports two types of databases: the legacy security databases
(cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db,
key4.db, and pkcs11.txt).
NSS recognizes the following prefixes:
· sql: requests the newer database
· dbm: requests the legacy database
If no prefix is specified the default type is retrieved from
NSS_DEFAUL
1

Beginning with Firefox 64, Mozilla says, that an own "enterprise CA" can be imported from those system paths in Linux:

  • /usr/lib/mozilla/certificates
  • /usr/lib64/mozilla/certificates

Those paths do not exist by default in Ubuntu, but can be added manually.

Additionally, you have to name each certificate in the file /usr/lib/firefox/distribution/policies.json, so that it gets imported automatically:

{ "policies": { "ImportEnterpriseRoots": true, "Certificates": { "Install": [ "example.crt", "/specific/folder/another-example.crt" ] } }
}

In this case, a certificate file named "example.crt" in either of the named default directories will be added when firefox restarts.

As Batchen Regev showed in his answer, you can also point to a file with an absolute path. (This way the .NET core development server on linux is also adding the localhost certificate).

Reference:

3

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like