Programmatically Install Certificate into Mozilla

Question

Is there a way to programmatically install a certificate into mozilla  We re trying to script everything to eliminate deviations in environment so installing it by hand through mozilla preferences does not work for our needs   I assume theres a way to do it with certutil  but I am not sure of Mozilla s internals  etc

User · Answer

I had a similar issue on a client site where the client required a authority certificate to be installed automatically for 2000+ windows users.

I created the following .vbs script to import the certificate into the current logged on users firefox cert store.

The script needs to be put in the directory containing a working copy of certutil.exe (the nss version) but programatically determines the firefox profiles location.

Option Explicit

On error resume next

Const DEBUGGING              = true
const SCRIPT_VERSION        = 0.1
Const EVENTLOG_WARNING      = 2
Const CERTUTIL_EXCUTABLE    = "certutil.exe"
Const ForReading = 1


Dim strCertDirPath, strCertutil, files, slashPosition, dotPosition, strCmd, message
Dim file, filename, filePath, fileExtension

Dim WshShell            : Set WshShell            = WScript.CreateObject("WScript.Shell")
Dim objFilesystem      : Set objFilesystem    = CreateObject("Scripting.FileSystemObject") 
Dim certificates        : Set certificates      = CreateObject("Scripting.Dictionary")
Dim objCertDir
Dim UserFirefoxDBDir
Dim UserFirefoxDir
Dim vAPPDATA
Dim objINIFile
Dim strNextLine,Tmppath,intLineFinder, NickName

vAPPDATA = WshShell.ExpandEnvironmentStrings("%APPDATA%") 
strCertDirPath    = WshShell.CurrentDirectory
strCertutil      = strCertDirPath & "\" & CERTUTIL_EXCUTABLE
UserFirefoxDir = vAPPDATA & "\Mozilla\Firefox"
NickName = "Websense Proxy Cert"


Set objINIFile = objFilesystem.OpenTextFile( UserFireFoxDir & "\profiles.ini", ForReading)

Do Until objINIFile.AtEndOfStream
    strNextLine = objINIFile.Readline

    intLineFinder = InStr(strNextLine, "Path=")
    If intLineFinder <> 0 Then
        Tmppath = Split(strNextLine,"=")
        UserFirefoxDBDir = UserFirefoxDir & "\" & replace(Tmppath(1),"/","\")

    End If  
Loop
objINIFile.Close

'output UserFirefoxDBDir

If objFilesystem.FolderExists(strCertDirPath) And objFilesystem.FileExists(strCertutil) Then
    Set objCertDir = objFilesystem.GetFolder(strCertDirPath)
    Set files = objCertDir.Files

    For each file in files
        slashPosition = InStrRev(file, "\")
        dotPosition  = InStrRev(file, ".")
        fileExtension = Mid(file, dotPosition + 1)
        filename      = Mid(file, slashPosition + 1, dotPosition - slashPosition - 1)

        If LCase(fileExtension) = "cer" Then        
            strCmd = chr(34) & strCertutil & chr(34) &" -A -a -n " & chr(34) & NickName & chr(34) & " -i " & chr(34) & file & chr(34) & " -t " & chr(34) & "TCu,TCu,TCu" & chr(34) & " -d " & chr(34) & UserFirefoxDBDir & chr(34)
            'output(strCmd)
            WshShell.Exec(strCmd)
        End If        
    Next        
    WshShell.LogEvent EVENTLOG_WARNING, "Script: " & WScript.ScriptFullName & " - version:" & SCRIPT_VERSION & vbCrLf & vbCrLf & message
End If

function output(message)
    If DEBUGGING Then
        Wscript.echo message
    End if
End function

Set WshShell  = Nothing
Set objFilesystem = Nothing

User · Answer

On Windows 7 with Firefox 10  the cert8 db file is stored at  userprofile  AppData Roaming Mozilla Firefox Profiles          default cert8 db  If you are an administrator  you can probably write a simple WMI application to copy the file to the User s respective folder   Also  a solution that worked for me from http   www appdeploy com messageboards tm asp m 52532 amp mpage 1 amp key  amp  52532   Copied CERTUTIL EXE from the NSS zip file   http   www mozilla org projects security pki nss tools    to C  Temp CertImport  I also placed the certificates I want to import there   Copied all the dll s from the NSS zip file to C  Windows System32 Created a BAT file in  Appdata  mozilla firefox profiles with this script      Set FFProfdir  Appdata  mozilla firefox profiles  Set CERTDIR C  Temp CertImport  DIR  A D  B  gt    Temp  FFProfile txt   FOR  F  tokens      i in   Temp  FFProfile txt  do    CD  d   FFProfDir    i   COPY cert8 db cert8 db orig  y  For   x in    CertDir  Cert1 crt   do   Certdir  certutil exe  -A -n  Cert1  -i    x  -t  TCu TCu TCu  -d    For   x in    CertDir  Cert2 crt   do   Certdir  certutil exe  -A -n  Cert2  -i    x  -t  TCu TCu TCu  -d       DEL  f  q   Temp  FFProfile txt    Executed the BAT file with good results

User · Answer

The easiest way is to import the certificate into a sample firefox-profile and then copy the cert8 db to the users you want equip with the certificate   First import the certificate by hand into the firefox profile of the sample-user  Then copy     home   USER   mozilla firefox   randomalphanum  default cert8 db  Linux Unix   userprofile  Application Data Mozilla Firefox Profiles  randomalphanum  default cert8 db  Windows    into the users firefox-profiles  That s it  If you want to make sure  that new users get the certificate automatically  copy cert8 db to     etc firefox-3 0 profile  Linux Unix   programfiles  firefox-installation-folder defaults profile  Windows

User · Answer

I have an update of this awesome answer  just not working any more with last Firefox updates   in this same thread  made by H -Dirk Schmitt  also thanks to the answer in this other thread made by BecarioEstrella  I just adapted the script to recent changes  Tested in 2021 just in Firefox 85 0 1  64bit  in Ubuntu 20 04 and 18 04     usr bin env bash  function usage     echo  quot Error  no certificate filename or name supplied  quot    echo  quot Usage      installcerts sh  lt certname gt  pem  lt Cert-DB-Name gt  quot    exit 1     if   -z  quot  1 quot         -z  quot  2 quot      then     usage fi  certificate file  quot  1 quot  certificate name  quot  2 quot  for certDB in   find     mozilla     thunderbird -name  quot cert9 db quot   do   cert dir   dirname   certDB      echo  quot Mozilla Firefox certificate quot   quot install    certificate name   in   cert dir  quot    certutil -A -n  quot   certificate name  quot  -t  quot TCu Cuw Tuw quot  -i   certificate file  -d sql  quot   cert dir  quot  done  If you want it just for Firefox  replace the line  for certDB in   find     mozilla     thunderbird -name  quot cert9 db quot    By for certDB in   find     mozilla  -name  quot cert9 db quot    Further readings   NSS Shared DB NSS Shared DB Howto

User · Answer

Firefox now  since 58  uses a SQLite database cert9 db instead of legacy cert8 db  I have made a fix to a solution presented here to make it work with new versions of Firefox   certificateFile  MyCa cert pem  certificateName  MyCA Name   for certDB in   find     mozilla     thunderbird -name  cert9 db   do   certDir   dirname   certDB       log  mozilla certificate   install    certificateName   in   certDir     certutil -A -n    certificateName   -t  TCu Cuw Tuw  -i   certificateFile  -d sql   certDir  done

User · Answer

Just wanted to add to an old thread to hopefully aid other people  I needed programmatically add a cert to the firefox database using a GPO  this was how I did it for Windows  1  First download and unzip the precompiled firefox NSS nss-3 13 5-nspr-4 9 1-compiled-x86 zip  2  Add the cert manually to firefox Options-- Advanced--Certificates-- Authorities-- Import  3  from the downloaded NSS package  run  certutil -L -d c  users  username  appdata roaming mozilla firefox  profile  default       4  The above query will show you the certificate name and Trust Attributes e g   my company Ltd                                CT C C       5  Delete the certificate in step 2  Options-- Advanced--Certificates-- Authorities-- Delete  6  Create a powershell script using the information from step 4 as follows  This script will get the users profile path and add the certificate  This only works if the user has one firefox profile  need somehow to retrieve the users firefox folder profile name    Script adds Radius Certificate to independent Firefox certificate store since the browser does not use the Windows built in certificate store        Get Firefox profile cert8 db file from users windows profile path  ProfilePath    C  Users      env username     AppData Roaming Mozilla Firefox Profiles    ProfilePath    ProfilePath    Get-ChildItem  ProfilePath   ForEach-Object      Name    ToString     Update firefox cert8 db file with Radius Certificate certutil -A -n  UK my company  -t  CT C C  -i CertNameToAdd crt -d  ProfilePath       7  Create GPO as a User Configuration to run the PowerShell script  Hope that helps save someone time

User · Answer

I was trying to achieve the same thing in Powershell and wrote a script to perform various functions that can be interactively selected  Of course  it s fairly easy to modify the script to automate certain things instead of provide options   I m an Infrastructure guy rather than a coder programmer  so apologies if it s a bit cumbersome  but it does work      Save the following as a PS1                                                                                                            NAME  RegisterFireFoxCertificates ps1       AUTHOR  Andy Pyne      DATE    22 07 2015       COMMENT  To provide options for listing  adding  deleting and purging   FireFox Certificates using Mozilla s NSS Util CertUtil   Source  https   developer mozilla org en-US docs Mozilla Projects NSS tools NSS Tools certutil     NOTE  You need a copy of the NSS Util CertUtil and it s associated dll s   The specific files I used were       certutil exe  fort32 dll  freebl3 dll  libnspr4 dll  libplc4 dll  libplds4 dll  nspr4 dll     nss3 dll  nssckbi dll  nssdbm3 dll  nssutil3 dll  plc4 dll  plds4 dll  smime3 dll     softokn3 dll  sqlite3 dll  ssl3 dll  swft32 dll                                                                                                                                                                                                             Setup a few parameters  ErrorActionPreference    Silentlycontinue   ExecutionPolicyOriginal   Get-ExecutionPolicy  FireFoxExecutable    C  Program Files  x86  Mozilla Firefox Firefox exe      This is the Firefox certificate database  CertDB    Cert8 db     The Certificate Nickname is a name you want to see on the certificates that you ve imported in - so you know they were imported by this process   However  when you look at the certificates in Firefox  they will be listed under whatever the certificate name was when it was generated   So if your certificate is listed as  Company123  when imported  it will still be called that as the Common Name  but when you click to view   it  you will see that the first item in the Certificate Fields is what you  nicknamed  it   CertificateNickname    MyCompanyName FF AutoImport Cert     The Legacy Certificates are specific explicit certificates which you wish to delete  The  purge  option later in the script references these items   LegacyCertificates      OldCertificate1    Company Cert XYZ    Previous Company name    Unwanted Certificate - 7    123APTEST123      This is the list of databases   Firefox profiles on the machine  FFDBList          Making sure our temporary directory is empty  FFCertLocationLocal    C  FFCertTemp     The remote location of the certificates and   FFCertLocationRemote      myUNC NETLOGON FireFoxCert      The local CertUtil executable  this is copied from the remote location above   FFCertTool     FFCertLocationLocal CertUtil exe     Making sure our temporary directory is empty Remove-Item  FFCertLocationLocal -Recurse New-Item -ItemType Directory -Path  FFCertLocationLocal                                                                                                                                                                                                           Clear    We re going to get a list of the Firefox processes on the machine that are open and close them   Otherwise the add delete parts might not be successful with Firefox still running  FireFoxRunningProcessesList   Get-Process   Where-Object     Name -Match  FireFox     Select-Object ProcessName Id   Format-Table -AutoSize  FireFoxRunningProcesses   Get-Process   Where-Object     Name -Match  FireFox     Select-Object -ExpandProperty Id If    FireFoxRunningProcesses     Else   Write-Host  The following processes will be stopped to perform certificate manipulation    FireFoxRunningProcessesList  TerminateProcessQuestion   Read-Host  To auto-terminate  ungracefully   processes  press  Y   otherwise  press any other key  If   TerminateProcessQuestion -ne  y     Clear Write-Host  Cannot continue as Firefox process is still running  ending script      Exit   Else  ForEach   FireFoxRunningProcess in  FireFoxRunningProcesses     Int  FireFoxRunningProcess    Convert   ToInt32  FireFoxRunningProcess  10  Stop-Process -Id  FireFoxRunningProcess -Force                                                                                                                                                                                                                The remote files  certificates and the NSS Tools CertUtil files are copied locally   FFCertificateListItemRemote   Get-ChildItem  FFCertLocationRemote -Recurse -Include   cer   dll certutil exe ForEach   FFCertificateItemRemote in  FFCertificateListItemRemote    Copy-Item  FFCertificateItemRemote FullName -Destination  FFCertLocationLocal     Get a list of the local certificates  FFCertificateListLocal   Get-ChildItem  FFCertLocationLocal -Recurse -filter   cer  Clear Set-ExecutionPolicy  Unrestricted     Find all Firefox profiles and create an array called FFDBList   Of course  you ll only be able to get to the ones your permissions allow  LocalProfiles   Get-ChildItem  C  Users    Select-Object -ExpandProperty FullName ForEach   LocalProfile in  LocalProfiles     FFProfile   Get-ChildItem   LocalProfile AppData Roaming Mozilla Firefox Profiles    Select-Object -ExpandProperty FullName If    FFProfile   Write-Host  There is no Firefox Profile for  LocalProfile   ELSE   FFDBList     FFProfile     Clear Write-Host                                     Write-Host  The List of FireFox Profiles is   Write-Host                                      FFDBList PAUSE                                                                                                                                                                                                            Setup 4x functions  List  Delete  Add and Purge      - List will simply list certificates from the Firefox profiles     - Delete will delete the certificates the same as the certificates you re going to add back in     So for example  if you have 2x certificates copied earlier for import   CompanyA  and  CompanyZ      then you can delete certificates with these names beforehand  This will prevent the      certificates you want to import being skipped duplicated because they already exist     - Add will simply add the list of certificates you ve copied locally     - Purge will allow you to delete  other  certificates that you ve manually listed in the     variable   LegacyCertificates  at the top of the script    Each of the functions perform the same 4x basic steps     1  Do the following 3x things for each of the Firefox profiles   2  Do the 2x following things for each of the certificates   3  Generate an expression using parameters based on the certificate nickname specified      earlier  and the profile and certificate informaiton   4  Invoke the expression  Function ListCertificates   Write-Host                                 ForEach   FFDBItem in  FFDBList     FFCertificateListItemFull    FFCertificateListItem FullName Write-Host  Listing Certificates for  FFDBitem   ExpressionToListCerts     FFCertTool -L -d    FFDBItem    Invoke-Expression  ExpressionToListCerts   PAUSE   Function DeleteOldCertificates   Write-Host                                 ForEach   FFDBItem in  FFDBList    ForEach   FFCertificateListItem in  FFCertificateListLocal     FFCertificateListItemFull    FFCertificateListItem FullName Write-Host  Deleting Cert  FFCertificateListItem for  FFDBitem   ExpressionToDeleteCerts     FFCertTool -D -n    CertificateNickname   -d    FFDBItem    Invoke-Expression  ExpressionToDeleteCerts    PAUSE   Function AddCertificates   Write-Host                                 ForEach   FFDBItem in  FFDBList    ForEach   FFCertificateListItem in  FFCertificateListLocal     FFCertificateListItemFull    FFCertificateListItem FullName Write-Host  Adding  FFCertificateListItem Cert for  FFDBitem   ExpressionToAddCerts     FFCertTool -A -n    CertificateNickname   -t   CT C C   -d    FFDBItem   -i    FFCertificateListItemFull    Write-Host  ExpressionToAddCerts Invoke-Expression  ExpressionToAddCerts  PAUSE    PAUSE   Function PurgeLegacyCertificates   Write-Host                                 ForEach   FFDBItem in  FFDBList    ForEach   LegacyCertificateItem in  LegacyCertificates     LegacyCertificateItemFull    LegacyCertificateItem FullName Write-Host  Purging Old Certs   LegacyCertificateItem  for  FFDBitem    ExpressionToDeleteLegacyCerts     FFCertTool -D -n    OldCertificate   -d    FFDBItem     ExpressionToDeleteLegacyCerts     FFCertTool -D -n    LegacyCertificateItem   -d    FFDBItem    ForEach   LegacyCertificate in  LegacyCertificates    Invoke-Expression  ExpressionToDeleteLegacyCerts     PAUSE                                                                                                                                                                                                                 Creating a few options to invoke the various functions created above   CertificateAction       Function CertificateActionSelection   Do   Clear  CertificateAction   Read-Host  Would you like to  L ist all certificates  D elete all old certificates   A dd new certificates  or  P urge legacy certificates     Until   CertificateAction -eq  L  -or  CertificateAction -eq  D  -or  CertificateAction -eq  A  -or  CertificateAction -eq  P     If   CertificateAction -eq  L    ListCertificates  If   CertificateAction -eq  D    DeleteOldCertificates  If   CertificateAction -eq  A    AddCertificates  If   CertificateAction -eq  P    PurgeLegacyCertificates     Do   Clear  MoreCertificateActions   Read-Host  Would you like to  L aunch Firefox  as  env USERNAME   take a  C ertificate action  or  Q uit   If   MoreCertificateActions -eq  L     Invoke-Item  FireFoxExecutable Exit  If   MoreCertificateActions -eq  C    CertificateActionSelection     Until   MoreCertificateActions -eq  Q    Remove-Item  FFCertLocationLocal -Recurse Set-ExecutionPolicy  ExecutionPolicyOriginal  Exit

User · Answer

Recent versions of Firefox support a policies json file that will be applied to all Firefox profiles   For CA certificates  you have some options  here s one example  tested with Linux Ubuntu where I already have system-wide CA certs in  usr local share ca-certificates   In  usr lib firefox distribution policies json         policies              Certificates                  Install                       usr local share ca-certificates my-custom-root-ca crt                                    Support for Thunderbird is on its way

User · Answer

Here is an alternative way that doesn t override the existing certificates   bash fragment for linux systems   certificateFile  MyCa cert pem  certificateName  MyCA Name   for certDB in   find     mozilla     thunderbird -name  cert8 db   do   certDir   dirname   certDB       log  mozilla certificate   install    certificateName   in   certDir     certutil -A -n    certificateName   -t  TCu Cuw Tuw  -i   certificateFile  -d   certDir  done   You may find certutil in the libnss3-tools package  debian ubuntu    Source  http   web archive org web 20150622023251 http   www computer42 org 80 xwiki-static exported DevNotes xwiki DevNotes Firefox html   See also  https   developer mozilla org en-US docs Mozilla Projects NSS tools NSS Tools certutil

[firefox] Programmatically Install Certificate into Mozilla

Examples related to firefox

Examples related to certificate