autoconfig to pre-import CA certificates?

1,679 views
Skip to first unread message

Mi

unread,
Sep 11, 2011, 8:31:49 AM9/11/11
to tb-ent...@mozilla.org
Hello,

I'm looking for a way to pre-import our private CA certificate into the cert8.db. But this file doesn't exist before TB creates the profile, and it seems it uses some hardcoded information to put in there.

There is a command-line way to add a certificate to the store, but it works only when the cert8.db file has already been created.

Searching through omni.jar, I found calls to "certdb.importCertsFromFile" (in "omni.jar\chrome\pippki\content\pippki\certManager.js").
That looked promising, so I tried it in my thunderbird.cfg autoconf script, but I get

"Netscape.cfg/AutoConfig failed. [...] ReferenceError: certdb is not defined"

This is what I tried so far:

var certfile = "file://///server/share/.../my-cacert.cer"; //using a correct path of course

try {
const nsIX509CertDB = Components.interfaces.nsIX509CertDB;
const nsX509CertDB = "@mozilla.org/security/x509certdb;1";
const nsIX509Cert = Components.interfaces.nsIX509Cert;
const nsICertTree = Components.interfaces.nsICertTree;
const nsCertTree = "@mozilla.org/security/nsCertTree;1";
const nsIDialogParamBlock = Components.interfaces.nsIDialogParamBlock;
const nsDialogParamBlock = "@mozilla.org/embedcomp/dialogparam;1";
const nsIPKIParamBlock = Components.interfaces.nsIPKIParamBlock;
const nsPKIParamBlock = "@mozilla.org/security/pkiparamblock;1";
const nsINSSCertCache = Components.interfaces.nsINSSCertCache;
const nsNSSCertCache = "@mozilla.org/security/nsscertcache;1";

certdb.importCertsFromFile(null, certfile, nsIX509Cert.CA_CERT);
} catch(e) {
displayError("Add certificate", e);
}


Would someone know if something like that is at all possible?


PS: In case anyone is interested, this is a command-line way of doing it in Bash. In Debian, certutil was available in "libnss3-tools" (sudo apt-get install libnss3-tools). For Windows users, it seems much harder to find a binary.

name="Name of your CA";
certfile=/path/to/your-cacert.cer
dir=/path/to/tb-profile-dir

certutil -A -n "$name" -t "C,C,C" -d "$dir" -i "$certfile"

#or to first check, and only do it if needed:

certutil -L -d "$dir" | grep -q "$name" || certutil -A -n "$name" -t "C,C,C" -d "$dir" -i "$certfile"

However, running this at night on the user's profile directories after searching for cert8.db files seems like a really clumsy way of doing it. And anyway, it doesn't work for fresh profiles.

_______________________________________________
tb-enterprise mailing list
tb-ent...@mozilla.org
https://mail.mozilla.org/listinfo/tb-enterprise

Timo Pietilä

unread,
Sep 12, 2011, 1:06:02 AM9/12/11
to tb-ent...@mozilla.org
Mi wrote:
> Hello,
>
> I'm looking for a way to pre-import our private CA certificate into the
> cert8.db. But this file doesn't exist before TB creates the profile, and
> it seems it uses some hardcoded information to put in there.
>
> There is a command-line way to add a certificate to the store, but it
> works only when the cert8.db file has already been created.

I have done this in a way that I imported our certs in the cert8.db,
then copied it into distribution package in /defaults/profile directory.

> "Netscape.cfg/AutoConfig failed. [...] ReferenceError: certdb is not
> defined"
>
> This is what I tried so far:

[snip]

> Would someone know if something like that is at all possible?

This would be much better if it is possible. I'm very interested about
this as well (lacking capability to import certs in existing profiles is
one of my pet peeves in mozilla products).

Timo Pietilä

Martin Schuster (IFKL IT OS DS CD)

unread,
Sep 12, 2011, 1:55:30 AM9/12/11
to Mi, tb-ent...@mozilla.org
On 2011-09-11 14:31, Mi wrote:
> Hello,
>
> I'm looking for a way to pre-import our private CA certificate into the
> cert8.db.
>
Don't know if it's feasible for your setup, but you could also add
the CA cert directly into libnss, see
http://www.mail-archive.com/dev-tec...@lists.mozilla.org/msg00854.html
This requires you to compile libnss yourself, see
http://www.linuxfromscratch.org/blfs/view/svn/postlfs/nss.html
for instructions, and
ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/
for the nss-source.

hth,
--
Infineon Technologies IT-Services GmbH Martin.S...@infineon.com
Lakeside B05, 9020 Klagenfurt, Austria Martin Schuster
FB: LG Klagenfurt, FN 246787y +43 5 1777 3517

helpcrypto helpcrypto

unread,
Sep 14, 2011, 3:00:57 AM9/14/11
to tb-ent...@mozilla.org
Have used certutil for nss cert import after application first run.
Havent tried omni.jar.

I havent been able to compile nss on windows on mingw, but did it for
osx and used nss-tools for linux.

I have noticed "sometimes" (still trying to figure out when/why) the
certificate database becomes corrupt (complaining bad database). Maybe
the corrupt file is key9.db/key3.db.
Some people suggested this could happen if firefox and certutil are
using cert8 at the same time, cause it doenst support concurrency.
(cert db version 9 should)

If any of you succeed building nss/jss on windows using mingw, let me
know. by now, im still using an old version i have.
Also, im interested in importing to non-existing profiles. Keep us update!

helpcrypto helpcrypto

unread,
Sep 15, 2011, 5:55:36 AM9/15/11
to tb-ent...@mozilla.org
I have noticed modutil with -create option will create a secmod.db,
cert8.db and key3.db (9?) files, unless you specify -nocertdb option.
As stated in here:
http://www.mozilla.org/projects/security/pki/nss/tools/modutil.html

LIVINE Christin

unread,
Sep 16, 2011, 8:37:54 PM9/16/11
to tb-ent...@mozilla.org
Hi,

In French, I read this article :
http://www.cnrs.fr/aquitaine-limousin/spip.php?article1687

I adapted this article for my situation. Make an custom installation for
firefox 5.0.1 and Thunderbird 5.0 on Windows for my company, with custom
prefs.js and certificate of company.

For this example of adding certificate, I work with Firefox.

- I download Firefox.

- I download the certificate program from Mozilla. I rename Mozilla
certutil to moz_cerutil to avoid confusion with Windows certutil.

- I Install Firefox.

- I open Firefox, so there is a folder for firefox data (Document and
settings\xxxx\Application Data\Firefox).

- I close Firefox.

- Unpack with 7-zip the downloaded firefox Setup program to folder
"Firefox Setup 5.0.1".

- List the certificates in Firefox. In DOS, type :
moz_certutil -L -d "C:\Documents and Settings\Administrateur\Application
Data\Mozilla\Firefox\Profiles\jlljldjk.default"

- Add certificate of the company SI. In DOS, type :
moz_certutil -A -n "SSI - Service de l informatique" -i
"c:\cert\casit.crt" -t "C,c,c" -d "C:\Documents and
Settings\Administrateur\Application
Data\Mozilla\Firefox\Profiles\jlljldjk.default"

-List again the cerficates for checking the new certificate. In DOS, type :
moz_certutil -L -d "C:\Documents and Settings\Administrateur\Application
Data\Mozilla\Firefox\Profiles\jlljldjk.default"

- In firefox personnal folder (Document and settings\xxxx\Application
Data\Firefox), copy file cert8.db.

- Paste cert8.db in folder Firefox Setup 5.0.1\core\defaults\profile\.

- With 7-zip, 7zSD.sfx and app.tag, pach the new installer, look for
tutorial in internet.


Bye.

Christin

Mi

unread,
Feb 9, 2012, 6:01:05 AM2/9/12
to tb-ent...@mozilla.org
A very late reply, but since it may be useful to others, here it is:

After manually importing the certificate(s), save a copy of the "cert8.db" file from your profile directory.
Copy that cert8.db file to the program directory ("C:\Program Files (x86)/Mozilla Thunderbird") into a "/defaults/profile" subdirectory.

That works well, for both Firefox and Thunderbird, for new profiles. For existing profiles, you need to overwrite their cert8.db in their user profile.

An alternative to creating the master cert8.db by manually importing certificates through the Mozilla GUI, is to use the libnss certutil command as described in my first message in this thread.


Thanks to all,

MI

Marc Patermann

unread,
Apr 26, 2012, 8:46:20 AM4/26/12
to tb-ent...@mozilla.org
Hi,

Mi schrieb (09.02.2012 12:01 Uhr):
> A very late reply, but since it may be useful to others, here it is:
>
> After manually importing the certificate(s), save a copy of the
> "cert8.db" file from your profile directory.
> Copy that cert8.db file to the program directory ("C:\Program Files
> (x86)/Mozilla Thunderbird") into a "/defaults/profile" subdirectory.
>
> That works well, for both Firefox and Thunderbird, for new profiles.
That's what I don't get to work. :(

I created the directory defaults/profile.
When I put a mimetypes.rdf in, this is copied over to a blank profile.
Fine.
When I put in a cert8.db, this does not work.

I use one self signed certificates for out internal mail servers -
*.example.com. So on first contact the user is asked if to trust the
certificate. I choose to trust the certificate permanently, which is
stored to certificate store (visible in the GUI). I copy this cert8.db
to defaults/profile, but it is not used as is on new profiles.

In TB 2.0 - which we still currently use - the asterisk certificate is
used just fine. Imported once, trusted for every server.
If I manually trust the cert now - TB 10 ESR - the exception is only
stored for this particular server. If I manually import the cert first,
the cert is marked two times in the cert manager, once generally, once
for the particular server.
The goal is to have it work like before: import the asterisk cert once
(automatically) and have it trusted for all the servers in the domain.

What to do now?


Marc

Christian Mack

unread,
Apr 26, 2012, 10:16:58 AM4/26/12
to Marc Patermann, tb-ent...@mozilla.org
Hello Marc Patermann

AFAIK Mozilla doesn't accept wildcard certificates anymore.
Just use a new Certificate Authority.
Import that into your cert8.db as trusted.
Then sign all your email server certificates with this CA

Now you can use them all without getting messages from Thunderbird.


Kind regards,
Christian Mack

--
Christian Mack
Gruppe Informationsdienste
Rechenzentrum Universität Konstanz

Marc Patermann

unread,
May 2, 2012, 8:39:47 AM5/2/12
to Christian Mack, tb-ent...@mozilla.org
Hi,

Christian Mack schrieb (26.04.2012 16:16 Uhr):

> On 2012-04-26 14:46, Marc Patermann wrote:
>> Mi schrieb (09.02.2012 12:01 Uhr):
>>> A very late reply, but since it may be useful to others, here it is:
>>>
>>> After manually importing the certificate(s), save a copy of the
>>> "cert8.db" file from your profile directory.
>>> Copy that cert8.db file to the program directory ("C:\Program Files
>>> (x86)/Mozilla Thunderbird") into a "/defaults/profile" subdirectory.
>>>
>>> That works well, for both Firefox and Thunderbird, for new profiles.
>> That's what I don't get to work. :(
>>
>> I created the directory defaults/profile.
>> When I put a mimetypes.rdf in, this is copied over to a blank profile.
>> Fine.
>> When I put in a cert8.db, this does not work.
>>
>> I use one self signed certificates for out internal mail servers -
>> *.example.com.
> AFAIK Mozilla doesn't accept wildcard certificates anymore.
> Just use a new Certificate Authority.
> Import that into your cert8.db as trusted.
> Then sign all your email server certificates with this CA
>
> Now you can use them all without getting messages from Thunderbird.
So I started testing with my own CA and a server cert.

- I import the CA file via GUI.
- I connect to the server.
- TLS is used without any pop-up or so.
-> Fine.

Now I moved the cert8.db file out of the profile directory to
defaults/profile.
But the CA is not there.
-> So the cert8.db file I just created is not used.


What to do now?


Marc
Reply all
Reply to author
Forward
0 new messages