Requirement : The local certificate being generated should be added as a Peer certificate in Firefox
Current Approach : 1. Fetched nss-3.75 and built the binaries for both MAC and Windows.
2. Used the generated certutil.exe application to add the local certificate to firefox db.
3. The command used was:
certutil -A -d sql:"%localappdata%\Roaming\Mozilla\Firefox\Profiles\ob08n7zb.default-release" -i <Local Certificate Path/Name> -n 127.0.0.1 -t "P,,"
Expectation: The certificate should have been added as a peer certificate in Firefox.
Current Behavior: The command is not returning any errors, but certificate is not reflected as a peer.
When we run command to List the added certificate, the attributes returned are:
Signed Extensions:
Name: Certificate Authority Key Identifier
Issuer:
Directory Name: "CN=127.0.0.1,O=A2ML41623"
Serial Number:
16:d2:0e:c8:3e:c1:d9:c7:1c:ae:a5:c7:b6:b8:85:5c:
4d:56:ba:db
Name: Certificate Basic Constraints
Data: Is not a CA.
Name: Certificate Key Usage
Usages: Digital Signature
Name: Extended Key Usage
TLS Web Server Authentication Certificate
TLS Web Client Authentication Certificate
Name: Certificate Subject Alt Name
IP Address: 127.0.0.1
Name: Certificate Comment
Comment: "OpenSSL Generated Certificate"
However, the certificate does not seem to be added in firefox, as the web socket connection does not happen.
On running the Validate command for the certificate added and adding the usage as V(As an SSL Server), we get the output:
certutil: certificate is invalid: Certificate key usage inadequate for attempted operation.
On running the Validate command for the certificate added and adding the usage as C(As an SSL Client), we get the output:
certutil: certificate is valid
Note: When we run the command:
certutil -A -d sql:"%localappdata%\Roaming\Mozilla\Firefox\Profiles\ob08n7zb.default-release" -i <Local Certificate Path/Name> -n 127.0.0.1 -t "PCu,,"
The certificate gets added to the firefox db as a Certificate Authority and the WebSocket connection is established as expected.
Adding the certificate as a CA raises security concerns, hence we need to add it as a Peer certificate. Request you to kindly help us with how we can add the certificate as Peer in the firefox DB.