CA:AddRootToFirefox

From MozillaWiki
Revision as of 00:28, 13 February 2015 by Kathleen Wilson (talk | contribs)
Jump to navigation Jump to search

Installing Certificates Into Firefox

There are lots of organizations that use their own certificate authority to issue certificates for their internal servers. Unfortunately since Firefox does not use the Windows certificate store (bug 432802, bug 472113), these have to be manually added into Firefox. This page will cover how to get those CAs into Firefox.

Credits

The original content in this wiki page was copied (with permission) from Mike Kaply's Blog.

CCK2

The easiest way to get your CAs into Firefox is to use CCK2. CCK2 allows certificate authorities and server certificates to be installed into the browser. It supports PEM, DER and text. It also allows you to designate certificate overrides (sites where certificate errors are ignored). Just go to the certificate page and point to either a URL or a local file where the certificate is contained.

AutoConfig via JavaScript

If you're using AutoConfig without CCK2, you can still use the API that the CCK2 uses to install certificate authorities. Here's what it looks like to install the cacert.org root certificate:

  1. var certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB);
  2. var certdb2 = certdb;
  3. try {
  4. certdb2 = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB2);
  5. } catch (e) {}
  6. cert = "MIIHPT...zTMVD"; // This should be the certificate content with no line breaks at all.
  7. certdb2.addCertFromBase64(cert, "C,C,C", "");

The three Cs mean to trust the certficate for servers, email and objects. The third parameter is the name, but it is ignored. If you want to install binary certificates, things get more complicated. In that case, I'd definitely recommend the CCK2.

PolicyPak

PolicyPak supports adding certificate authorites to Firefox via Group Policy.

Preload the certificate databases

Some people create a new profile in Firefox, install the certificates they need, and then distribute the various db files (cert8.db, key3.db and secmod.db) into new profiles using this method. I don't recommend this method (and it only works for new profiles).

certutil

If you're a real diehard, you can use certutil to update the Firefox certificate databases from the command line.

Retrieved from "https://wiki.allizom.org/index.php?title=CA:AddRootToFirefox&oldid=1055930"