Default Certs for Mozilla
ronma...@gmail.com
> question is how can I make an assigned set of CA certs be available
> for any user that logs into the client. If I export these from IE,
> then import them into Mozilla. I want them added so that the first time a user logs into the system, they are present. This is a classified system, so the certs are classified Thanks, Mac
Arshad Noor
location, as part of the login process, you can use a script to
check for the presence of these CA certs in the cert-store and
then add them as appropriate.
Using two files, I remove third-party CA's from internal server
applications using client-auth:
File cacerts has a list of all CA names
---------------------------------------
ABAecom (sub., Am. Bankers Assn.) Root CA
Access America by DST
...
Verisign Class 4 Public Primary Certification Authority - G2
Verisign Class 4 Public Primary Certification Authority - G3
Verisign/RSA Commercial CA
Verisign/RSA Secure Server CA
File rmcerts removes them (written for Linux/UNIX)
--------------------------------------------------
#!/bin/ksh
#
# First parameter is the directory where cert7.db file exists
# Second parameter is the file that has list of certs to remove
if [ $# -ne 2 ]; then
echo "Usage: $0 <cert7.db directory> <file with list of certs
to remove>"
exit 1
fi
exec 3< $2
while read -u3
do
certutil -D -d $1 -n "$REPLY"
print -r "Deleted $REPLY"
done
certutil -L -d $1
Hope this helps.
Arshad Noor
StrongAuth, Inc.
> _______________________________________________
> dev-tech-crypto mailing list
> dev-tec...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
Arshad Noor
be cert8.db and not cert7.db; you'll find it in the C:\Documents and
Settings\[UserName]\Application Data\Mozilla\Firefox\Profiles\[random
string]\ directory. If you're using Windows Explorer to find it,
make sure you've checked your options to show hidden files and system
folders.
You're welcome.
Arshad Noor
StrongAuth, Inc.
Ronald Mckenzie wrote:
> good start. where Is the locations for the default Mozilla certs on
> windows. I searched for cert7 and found nothing. Is it written into the
> jar files?? thanks, ron
>
> On 9/14/06, * Arshad Noor* <arsha...@strongauth.com
> > _______________________________________________
> > dev-tech-crypto mailing list
> > dev-tec...@lists.mozilla.org
> <mailto:dev-tec...@lists.mozilla.org>
> > https://lists.mozilla.org/listinfo/dev-tech-crypto
>
>
David Stutzman
Actually, the root certs are stored in a file called libnssckbi.so or
libnssckbi.dll depending on linux or windows (I can't speak to other
platforms). I have successfully built my own libnssckbi on Linux. You
cannot actually delete the certs from that file as it is read-only. If
you do try you will notice they all come back when you restart Mozilla.
They will, however, no longer be trusted. There's been some
discussion on here about this behavior and ultimately it's better for
the end user. I believe the changes you made in the trust status will
get stored in the profile's cert8.db.
I created the following "script" for regenerating the libnssckbi each
time I want to add/remove certs. I couldn't figure out how to in-line
the perl so I created a separate file called chop-dn.pl which contains
that part. You can see the attempt at calling "perl -e" on one of the
commented out lines. I am by no means a master scripter, but it does
the job for me. I run the script on a Fedora Core 4 box inside a
directory containing all of the base64 (PEM) encoded certs I want in the
libnssckbi and it does everything else for me.
Something I am doing that you probably won't want to is I am adding
non-root certs to the module (from the line "mv certdata.txt user" to
"cd ../". The script will set SSL and EMAIL trust bits on any ca that
has "root" in the CN. If you also want code signing trust you will have
to modify that line. You can easily remove the if block and just call
the same addbuiltins command on all the certs you have. I also add
intermediate CAs but I do not set the trust bit on them. I found out
that the addbuiltins command doesn't pay attention to all the trust
flags that it is supposed to so a stock NSS 3.11.2 addbuiltins command
will not correctly add any certs with the "c" trust flag. This bug
outlines that: https://bugzilla.mozilla.org/show_bug.cgi?id=348882.
Oh...and credit to this CACert blog entry which got me started (but
isn't completely up to date): http://wiki.cacert.org/wiki/NSSLib
Dave
main script:
#!/bin/bash
#
# Name of certdata file (this shouldn't really change)
#
CERTDATA="certdata.txt"
#
# Some directories we'll use later
#
#NSS_BASE=/usr/local/src/nss-3.10
NSS_BASE=/mnt/public/NSS/nss-3.11.2
NSS_BUILD_DIR=$NSS_BASE/mozilla/security/nss
BUILTINS=$NSS_BUILD_DIR/lib/ckfw/builtins
#
# Cleanup DER encoded cert files from previous run
#
for CERT in $( ls *.der ); do
rm -f $CERT
done
#
# Backup the last few libnssckbi's we built...
#
mv --force libnssckbi.so-2 libnssckbi.so-3
mv --force libnssckbi.so-1 libnssckbi.so-2
mv --force libnssckbi.so libnssckbi.so-1
#
# Prepare a new certdata.txt template
#
echo ""
echo "Preparing new certdata file"
echo 'CVS_ID "@(#) $RCSfile: certdata.txt,v $ $Revision: 1.37 $ $Date:
2005/04/18 16:08:07 $"' > $CERTDATA
echo "#" >> $CERTDATA
echo "# The object to tell NSS that this is a root list and we don't" >>
$CERTDATA
echo "# have to go looking for others." >> $CERTDATA
echo "#" >> $CERTDATA
echo "BEGINDATA" >> $CERTDATA
echo "CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_BUILTIN_ROOT_LIST" >> $CERTDATA
echo "CKA_TOKEN CK_BBOOL CK_TRUE" >> $CERTDATA
echo "CKA_PRIVATE CK_BBOOL CK_FALSE" >> $CERTDATA
echo "CKA_MODIFIABLE CK_BBOOL CK_FALSE" >> $CERTDATA
echo 'CKA_LABEL UTF8 "Mozilla Builtin Roots"' >> $CERTDATA
echo "" >> $CERTDATA
#
# Convert certificates to DER and add to certdata file
#
echo ""
echo "Converting certificates to DER and adding to certdata file"
for CERT in $( ls *.crt | cut -d. -f1 ); do
#convert PEM cert to DER encoding
openssl x509 -in $CERT.crt -out $CERT.der -outform DER
#pretty-print cert, grep out the subject line, pass that line
to perl
#+ script which tokenizes the line and gives me back just the
CN=foo part
#+ then use cut to remove the CN=...this is the nickname we'll use
NICKNAME=`openssl x509 -in $CERT.der -inform DER -text | grep
-i subject: | perl chop-dn.pl | cut -d= -f2`
# NICKNAME=`openssl x509 -in $CERT.der -inform DER -text | grep -i
subject: | perl -e '@tokens = split(', ',<STDIN>); print
$tokens[$#tokens];' | cut -d= -f2`
echo $NICKNAME
#append the cert to the certdata.txt file which will end up being
#+ the built-in roots module
echo $NICKNAME | grep -Eiq "root"
if [ "$?" -eq 0 ]
then
addbuiltin -n "${NICKNAME}" -t "CT,C,c" < $CERT.der >>
certdata.txt
else
addbuiltin -n "${NICKNAME}" -t "c,c,c" < $CERT.der >>
certdata.txt
fi
done
mv certdata.txt user
cd user
echo ""
echo "Adding user certs with specific nicknames"
for CERT in $( ls *.crt | cut -d. -f1 ); do
openssl x509 -in $CERT.crt -out $CERT.der -outform DER
echo $CERT
addbuiltin -n "${CERT}" -t ",," < $CERT.der >> certdata.txt
done
mv certdata.txt ../
cd ../
#
# Move certdata file to builtins location
#
echo ""
echo "Moving certdata file to builtins location"
mv -f $CERTDATA $BUILTINS
#
# Process new certdata file
#
echo ""
echo "Processing new certdata file (ignore Perl warning...)"
cd $BUILTINS
make generate
cd -
#
# Rebuild NSS to create new libnssckbi.so file
#
echo ""
echo "Rebuilding NSS (quietly) to create new libnssckbi.so file"
cd $NSS_BUILD_DIR
make -s nss_build_all > /dev/null 2>&1
cd -
#
# Copy libnssckbi.so to current directory
#
echo ""
echo "Copying libnssckbi.so to current directory"
cp $BUILTINS/Linux2.6_x86_glibc_PTH_DBG.OBJ/libnssckbi.so .
echo "Copying libnssckbi.so to /mnt/public/linux-dev/nss"
cp libnssckbi.so /mnt/public/linux-dev/nss
echo ""
echo "*** All done ***"
and chop-dn.pl:
#!/usr/bin/perl
$line = <STDIN>;
@tokens = split(', ',$line);
print $tokens[$#tokens];