|
|
| (11 intermediate revisions by 3 users not shown) |
| Line 1: |
Line 1: |
| = Installing Certificates Into Firefox =
| | #REDIRECT [[CA/AddRootToFirefox]] |
| | |
| There are lots of organizations that use their own certificate authority to issue certificates for their internal servers. Unfortunately since Firefox does not use the Windows certificate store ({{Bug|432802}}, {{Bug|472113}}), these have to be manually added into Firefox. This page will cover how to get those CAs into Firefox.
| |
| | |
| === Credits ===
| |
| The original content in this wiki page was copied (with permission) from [http://mike.kaply.com/2015/02/10/installing-certificates-into-firefox/ Mike Kaply's Blog].
| |
| | |
| == CCK2 ==
| |
| | |
| The easiest way to get your CAs into Firefox is to use [http://mike.kaply.com/cck2/ CCK2]. [http://mike.kaply.com/cck2/ CCK2] allows certificate authorities and server certificates to be installed into the browser. It supports PEM, DER and text. It also allows you to designate certificate overrides (sites where certificate errors are ignored). Just go to the certificate page and point to either a URL or a local file where the certificate is contained.
| |
| | |
| == AutoConfig via JavaScript ==
| |
| | |
| If you're using AutoConfig without CCK2, you can still use [http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/public/nsIX509CertDB.idl#389 the API] that the CCK2 uses to install certificate authorities. Here's what it looks like to install the [http://www.cacert.org/index.php?id=3 cacert.org root certificate]:
| |
| | |
| # var certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB);
| |
| # var certdb2 = certdb;
| |
| # try {
| |
| # certdb2 = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB2);
| |
| # } catch (e) {}
| |
| # cert = "MIIHPT...zTMVD"; // This should be the certificate content with no line breaks at all.
| |
| # certdb2.addCertFromBase64(cert, "C,C,C", "");
| |
| | |
| The three Cs mean to trust the certficate for servers, email and objects. The third parameter is the name, but it is ignored. If you want to install binary certificates, things get more complicated. In that case, I'd definitely recommend the [http://mike.kaply.com/cck2/ CCK2].
| |
| | |
| == PolicyPak ==
| |
| | |
| [http://www.policypak.com/products/manage-firefox-with-group-policy.html PolicyPak] supports adding certificate authorites to Firefox via Group Policy.
| |
| | |
| == Preload the certificate databases ==
| |
| | |
| Some people create a new profile in Firefox, install the certificates they need, and then distribute the various db files (cert8.db, key3.db and secmod.db) into new profiles using [http://mike.kaply.com/2012/03/30/customizing-firefox-default-profiles/ this method]. I don't recommend this method (and it only works for new profiles).
| |
| | |
| == certutil ==
| |
| | |
| If you're a real diehard, you can use [https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Tools/certutil certutil] to update the Firefox certificate databases from the command line.
| |