I've talked with support on this but they don't have a procedure handy for what I imagine has to be an extremely common use case for the web gateways -- for those of you who support Firefox in your corporate environment, how do you handle getting the CA cert that MWG is using to create SSL certs on the fly into Firefox's certificate database so users aren't deluged with cert warnings from their local Firefox install?
Googling for a solution to this has provided a remarkable dearth of useful information that seems current/relevant to modern Firefoxen.
If anyone has a procedure that works for them, ideally if it merges with existing deployed user profiles and doesn't stomp entirely on their cert db, and/or works with SCCM I'd be quite appreciative!
But any command line procedure for doing cert import into firefox would be superb!
common scenarios I have seen at customers so far:
- Sending an eMail to all users with instructions and the certificate attached
- Adding a link to the certificate and instructions to the end of block pages so that users can see and download from there
- Add link/instructions to a welcome page which shows the "use policy" once a day for each user
I personally would perfer a rollout via Active Directory which seems to be possible with a small script. You may want to add an internal resource with instructions/the certificate to download for non-windows or non-domain users anyway.
Thanks for the reply. The block page idea as a fallback was a good idea that support also offered. Unfortunately, instructing most garden variety users to do anything with a crypto certificate seems to scare the daylights out of them, doesn't scale at all, and seems to make the phone ring a lot. :-)
The target environment has IE/Chrome covered via Group Policy Objects and an internal certificate authority, but of course, Firefox in its delightful wisdom is ignorant of such and has to be treated as a special egg.
If anyone has the command line equivalent of Tools>Options, Advanced (the gear icon), and select the rightmost tab for Encryption. From the Encryption tab of Advanced Options, click of “View Certificates.”> Authorities tab > Import > Trust this CA to identify websites -- that'd be grail here!
http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html looks promising but appears to have been written ... in the NT 4.0 days.Message was edited by: Regis added mention to Mozilla's certutil tool on 5/29/12 10:54:22 AM CDT
We are using MS Group Policy to automatically call script to import root certs (using certutil) and change Mozilla settings to use MWG.
grep -v "network.proxy" prefs.js > prefs.bak
copy prefs.bak prefs.js
@echo user_pref("network.proxy.type", 2); >> prefs.js
@echo user_pref("network.proxy.autoconfig_url", "http://<proxyhostroxyport>/proxy.pac"); >> prefs.js
certutil.exe -A -n <CertName> -t "TCu,TCu,TCu" -d . -i <CertFile.cer>
ps. For use certutil in old OSes (like Windows 2000) you need add addititional MS runtime libraries (msvc*) to the certutil location.
I created a Zip that contains all you need plus an "import.cmd" which tries to import the given root CA into all Firefox profiles found for the current user. I just did a quick test on Windows XP:
- Installed blank Firefox
- Downloaded Zip
- Extracted Zip
- Ran import.cmd
- Checked my certificate was present in Firefox (it is listed as McAfee - Securelabs VM Root CA or similar)
Maybe you can adjust this to your needs and put it on a shared directory or - even better - run it by a login script when a user logs in to his domain account.
You can grab the Zip file from ftp://ftp.webwasher.com/outgoing/andre/FF-CA.zip
Note: This is just a very quickly checked script - no warranties can be given!
Thank you both for helpful answers.
Asabban - can you shed some light on the origin of the certutil.exe included in your zip file? - or does it have to be compiled from source?
http://support.mozilla.org/en-US/questions/687296 Seems to have more granular instructions on how to create from source (as well as a megaupload link I certainly wouldn't trust).
https://developer.mozilla.org/NSS_3.12.6_release_notes appears to be the latest available Network Security Services release that'd include certutil.exe But...fascinatingly, those 6 and 5 MB files download by way of my Mcafee web gateway as just 4.1kB files for reasons I suppose I'll have to chase down. *sigh*
I took all the libraries and the certutil.exe from these files:
The source seemed acceptable to me. There is certainly room for improvement, some more information about possible switches for the certutil.exe is also available from its online help. As mentioned I just clicked it together in few minutes time and wanted to see a result - probably you have (or want to) tweak settings etc.