I'm looking for a way to pre-import our private CA certificate into the cert8.db. But this file doesn't exist before TB creates the profile, and it seems it uses some hardcoded information to put in there.
There is a command-line way to add a certificate to the store, but it works only when the cert8.db file has already been created.
Searching through omni.jar, I found calls to "certdb.importCertsFromFile" (in "omni.jar\chrome\pippki\content\pippki\certManager.js").
That looked promising, so I tried it in my thunderbird.cfg autoconf script, but I get
"Netscape.cfg/AutoConfig failed. [...] ReferenceError: certdb is not defined"
This is what I tried so far:
var certfile = "file://///server/share/.../my-cacert.cer"; //using a correct path of course
try {
const nsIX509CertDB = Components.interfaces.nsIX509CertDB;
const nsX509CertDB = "@mozilla.org/security/x509certdb;1";
const nsIX509Cert = Components.interfaces.nsIX509Cert;
const nsICertTree = Components.interfaces.nsICertTree;
const nsCertTree = "@mozilla.org/security/nsCertTree;1";
const nsIDialogParamBlock = Components.interfaces.nsIDialogParamBlock;
const nsDialogParamBlock = "@mozilla.org/embedcomp/dialogparam;1";
const nsIPKIParamBlock = Components.interfaces.nsIPKIParamBlock;
const nsPKIParamBlock = "@mozilla.org/security/pkiparamblock;1";
const nsINSSCertCache = Components.interfaces.nsINSSCertCache;
const nsNSSCertCache = "@mozilla.org/security/nsscertcache;1";
certdb.importCertsFromFile(null, certfile, nsIX509Cert.CA_CERT);
} catch(e) {
displayError("Add certificate", e);
}
Would someone know if something like that is at all possible?
PS: In case anyone is interested, this is a command-line way of doing it in Bash. In Debian, certutil was available in "libnss3-tools" (sudo apt-get install libnss3-tools). For Windows users, it seems much harder to find a binary.
name="Name of your CA";
certfile=/path/to/your-cacert.cer
dir=/path/to/tb-profile-dir
certutil -A -n "$name" -t "C,C,C" -d "$dir" -i "$certfile"
#or to first check, and only do it if needed:
certutil -L -d "$dir" | grep -q "$name" || certutil -A -n "$name" -t "C,C,C" -d "$dir" -i "$certfile"
However, running this at night on the user's profile directories after searching for cert8.db files seems like a really clumsy way of doing it. And anyway, it doesn't work for fresh profiles.
_______________________________________________
tb-enterprise mailing list
tb-ent...@mozilla.org
https://mail.mozilla.org/listinfo/tb-enterprise
I have done this in a way that I imported our certs in the cert8.db,
then copied it into distribution package in /defaults/profile directory.
> "Netscape.cfg/AutoConfig failed. [...] ReferenceError: certdb is not
> defined"
>
> This is what I tried so far:
[snip]
> Would someone know if something like that is at all possible?
This would be much better if it is possible. I'm very interested about
this as well (lacking capability to import certs in existing profiles is
one of my pet peeves in mozilla products).
Timo Pietilä
hth,
--
Infineon Technologies IT-Services GmbH Martin.S...@infineon.com
Lakeside B05, 9020 Klagenfurt, Austria Martin Schuster
FB: LG Klagenfurt, FN 246787y +43 5 1777 3517
I havent been able to compile nss on windows on mingw, but did it for
osx and used nss-tools for linux.
I have noticed "sometimes" (still trying to figure out when/why) the
certificate database becomes corrupt (complaining bad database). Maybe
the corrupt file is key9.db/key3.db.
Some people suggested this could happen if firefox and certutil are
using cert8 at the same time, cause it doenst support concurrency.
(cert db version 9 should)
If any of you succeed building nss/jss on windows using mingw, let me
know. by now, im still using an old version i have.
Also, im interested in importing to non-existing profiles. Keep us update!
In French, I read this article :
http://www.cnrs.fr/aquitaine-limousin/spip.php?article1687
I adapted this article for my situation. Make an custom installation for
firefox 5.0.1 and Thunderbird 5.0 on Windows for my company, with custom
prefs.js and certificate of company.
For this example of adding certificate, I work with Firefox.
- I download Firefox.
- I download the certificate program from Mozilla. I rename Mozilla
certutil to moz_cerutil to avoid confusion with Windows certutil.
- I Install Firefox.
- I open Firefox, so there is a folder for firefox data (Document and
settings\xxxx\Application Data\Firefox).
- I close Firefox.
- Unpack with 7-zip the downloaded firefox Setup program to folder
"Firefox Setup 5.0.1".
- List the certificates in Firefox. In DOS, type :
moz_certutil -L -d "C:\Documents and Settings\Administrateur\Application
Data\Mozilla\Firefox\Profiles\jlljldjk.default"
- Add certificate of the company SI. In DOS, type :
moz_certutil -A -n "SSI - Service de l informatique" -i
"c:\cert\casit.crt" -t "C,c,c" -d "C:\Documents and
Settings\Administrateur\Application
Data\Mozilla\Firefox\Profiles\jlljldjk.default"
-List again the cerficates for checking the new certificate. In DOS, type :
moz_certutil -L -d "C:\Documents and Settings\Administrateur\Application
Data\Mozilla\Firefox\Profiles\jlljldjk.default"
- In firefox personnal folder (Document and settings\xxxx\Application
Data\Firefox), copy file cert8.db.
- Paste cert8.db in folder Firefox Setup 5.0.1\core\defaults\profile\.
- With 7-zip, 7zSD.sfx and app.tag, pach the new installer, look for
tutorial in internet.
Bye.
Christin
After manually importing the certificate(s), save a copy of the "cert8.db" file from your profile directory.
Copy that cert8.db file to the program directory ("C:\Program Files (x86)/Mozilla Thunderbird") into a "/defaults/profile" subdirectory.
That works well, for both Firefox and Thunderbird, for new profiles. For existing profiles, you need to overwrite their cert8.db in their user profile.
An alternative to creating the master cert8.db by manually importing certificates through the Mozilla GUI, is to use the libnss certutil command as described in my first message in this thread.
Thanks to all,
MI
AFAIK Mozilla doesn't accept wildcard certificates anymore.
Just use a new Certificate Authority.
Import that into your cert8.db as trusted.
Then sign all your email server certificates with this CA
Now you can use them all without getting messages from Thunderbird.
Kind regards,
Christian Mack
--
Christian Mack
Gruppe Informationsdienste
Rechenzentrum Universität Konstanz