Thanks for the reply.  The block page idea as a fallback was a good idea that support also offered.   Unfortunately, instructing most garden variety users to do anything with a crypto certificate seems to scare the daylights out of them, doesn't scale at all, and seems to make the phone ring a lot.  🙂

The target environment has IE/Chrome covered via Group Policy Objects and an internal certificate authority, but of course, Firefox in its delightful wisdom is ignorant of such and has to be treated as a special egg.    

If anyone has the command line equivalent of Tools>Options, Advanced (the gear icon), and select the rightmost tab for Encryption. From the Encryption tab of Advanced Options, click of “View Certificates.”> Authorities tab > Import  > Trust this CA to identify websites -- that'd be grail here! 

http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html   looks promising but appears to have been written ... in the NT 4.0 days.

We are using MS Group Policy to automatically call script to import root certs (using certutil) and change Mozilla settings to use MWG.

grep -v "network.proxy" prefs.js  > prefs.bak

del prefs.js

copy prefs.bak prefs.js

@echo user_pref("network.proxy.type", 2); >> prefs.js

@echo user_pref("network.proxy.autoconfig_url", "http://<proxyhost:proxyport>/proxy.pac"); >> prefs.js

certutil.exe -A -n <CertName> -t "TCu,TCu,TCu" -d . -i <CertFile.cer>

ps. For use certutil in old OSes (like Windows 2000) you need add addititional MS runtime libraries (msvc*) to the certutil location.

Hello,

I created a Zip that contains all you need plus an "import.cmd" which tries to import the given root CA into all Firefox profiles found for the current user. I just did a quick test on Windows XP:

- Installed blank Firefox

- Downloaded Zip

- Extracted Zip

- Ran import.cmd

- Checked my certificate was present in Firefox (it is listed as McAfee - Securelabs VM Root CA or similar)

Maybe you can adjust this to your needs and put it on a shared directory or - even better - run it by a login script when a user logs in to his domain account.

You can grab the Zip file from ftp://ftp.webwasher.com/outgoing/andre/FF-CA.zip

Note: This is just a very quickly checked script - no warranties can be given!

best,

Andre

Thank you both for helpful answers.  

Asabban - can you shed some light on the origin of the certutil.exe included  in your zip file?   - or does it have to be compiled from source?    

http://support.mozilla.org/en-US/questions/687296    Seems to have more granular instructions on how to create from source  (as well as a megaupload link I certainly wouldn't trust). 

https://developer.mozilla.org/NSS_3.12.6_release_notes  appears to be the latest available Network Security Services  release that'd include certutil.exe   But...fascinatingly,  those 6 and 5 MB files download by way of my Mcafee web gateway as just 4.1kB files for reasons I suppose I'll have to chase down.  *sigh*

Hello,

I took all the libraries and the certutil.exe from these files:

ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_10_RTM/WINNT4.0_OPT.OBJ/nss-3.10.z...

and

https://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v4.4.1/WINNT5.0_OPT.OBJ/nspr-4.4.1.zip

The source seemed acceptable to me. There is certainly room for improvement, some more information about possible switches for the certutil.exe is also available from its online help. As mentioned I just clicked it together in few minutes time and wanted to see a result - probably you have (or want to) tweak settings etc.

Best,

Andre