Unable to add peer Certificate to Firefox DB using certutils

6 views
Skip to first unread message

Kriti Jain

unread,
Mar 14, 2022, 3:39:21 AM3/14/22
to dev-tec...@mozilla.org

Requirement : The local certificate being generated should be added as a Peer certificate in Firefox

Current Approach : 1. Fetched nss-3.75 and built the binaries for both MAC and Windows.

2. Used the generated certutil.exe application to add the local certificate to firefox db.

3. The command used was:

certutil -A -d  sql:"%localappdata%\Roaming\Mozilla\Firefox\Profiles\ob08n7zb.default-release" -i <Local Certificate Path/Name> -n 127.0.0.1 -t "P,,"

 

Expectation: The certificate should have been added as a peer certificate in Firefox.

Current Behavior: The command is not returning any errors, but certificate is not reflected as a peer.

When we run command to List the added certificate, the attributes returned are:

Signed Extensions:

            Name: Certificate Authority Key Identifier

            Issuer:

                Directory Name: "CN=127.0.0.1,O=A2ML41623"

            Serial Number:

                16:d2:0e:c8:3e:c1:d9:c7:1c:ae:a5:c7:b6:b8:85:5c:

                4d:56:ba:db

 

            Name: Certificate Basic Constraints

            Data: Is not a CA.

 

            Name: Certificate Key Usage

            Usages: Digital Signature

 

            Name: Extended Key Usage

                TLS Web Server Authentication Certificate

                TLS Web Client Authentication Certificate

 

            Name: Certificate Subject Alt Name

            IP Address: 127.0.0.1

 

            Name: Certificate Comment

            Comment: "OpenSSL Generated Certificate"

However, the certificate does not seem to be added in firefox, as the web socket connection does not happen.

On running the Validate command for the certificate added and adding the usage as V(As an SSL Server), we get the output:

certutil: certificate is invalid: Certificate key usage inadequate for attempted operation.                              

On running the Validate command for the certificate added and adding the usage as C(As an SSL Client), we get the output:

certutil: certificate is valid

 

Note: When we run the command:

certutil -A -d  sql:"%localappdata%\Roaming\Mozilla\Firefox\Profiles\ob08n7zb.default-release" -i <Local Certificate Path/Name> -n 127.0.0.1 -t "PCu,,"

The certificate gets added to the firefox db as a Certificate Authority and the WebSocket connection is established as expected.

 

Adding the certificate as a CA raises security concerns, hence we need to add it as a Peer certificate. Request you to kindly help us with how we can add the certificate as Peer in the firefox DB.

Reply all
Reply to author
Forward
0 new messages