cancel
Showing results for 
Search instead for 
Did you mean: 
Regis
Level 12

SSL middling - mass import of MWG's CA certificate into users' Firefox trust db?

Greetings all,

I've talked with support on this but they don't have a procedure handy for what I imagine has to be an extremely common use case for the web gateways --   for those of you who support Firefox in your corporate environment, how do you handle getting the CA cert that MWG is using to create SSL certs on the fly into Firefox's certificate database so users aren't deluged with cert warnings from their local Firefox install?

Googling for a solution to this has provided a remarkable dearth of useful information that seems current/relevant to modern Firefoxen.

If anyone has a procedure that works for them, ideally if it merges with existing deployed user profiles and doesn't stomp entirely on their cert db, and/or works with SCCM I'd be quite appreciative!

But any command line procedure for doing cert import into firefox would be superb!

6 Replies
asabban
Level 17

Re: SSL middling - mass import of MWG's CA certificate into users' Firefox trust db?

Hello,

common scenarios I have seen at customers so far:

- Sending an eMail to all users with instructions and the certificate attached

- Adding a link to the certificate and instructions to the end of block pages so that users can see and download from there

- Add link/instructions to a welcome page which shows the "use policy" once a day for each user

I personally would perfer a rollout via Active Directory which seems to be possible with a small script. You may want to add an internal resource with instructions/the certificate to download for non-windows or non-domain users anyway.

Best,

Andre

Regis
Level 12

Re: SSL middling - mass import of MWG's CA certificate into users' Firefox trust db?

Thanks for the reply.  The block page idea as a fallback was a good idea that support also offered.   Unfortunately, instructing most garden variety users to do anything with a crypto certificate seems to scare the daylights out of them, doesn't scale at all, and seems to make the phone ring a lot.  :-)

The target environment has IE/Chrome covered via Group Policy Objects and an internal certificate authority, but of course, Firefox in its delightful wisdom is ignorant of such and has to be treated as a special egg.    

If anyone has the command line equivalent of Tools>Options, Advanced (the gear icon), and select the rightmost tab for Encryption. From the Encryption tab of Advanced Options, click of “View Certificates.”> Authorities tab > Import  > Trust this CA to identify websites -- that'd be grail here! 

http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html   looks promising but appears to have been written ... in the NT 4.0 days.

Message was edited by: Regis  added mention to Mozilla's certutil tool on 5/29/12 10:54:22 AM CDT
0 Kudos
apellepa
Level 8

Re: SSL middling - mass import of MWG's CA certificate into users' Firefox trust db?

We are using MS Group Policy to automatically call script to import root certs (using certutil) and change Mozilla settings to use MWG.

grep -v "network.proxy" prefs.js  > prefs.bak

del prefs.js

copy prefs.bak prefs.js

@echo user_pref("network.proxy.type", 2); >> prefs.js

@echo user_pref("network.proxy.autoconfig_url", "http://<proxyhostSmiley Tongueroxyport>/proxy.pac"); >> prefs.js

certutil.exe -A -n <CertName> -t "TCu,TCu,TCu" -d . -i <CertFile.cer>

ps. For use certutil in old OSes (like Windows 2000) you need add addititional MS runtime libraries (msvc*) to the certutil location.

0 Kudos
asabban
Level 17

Re: SSL middling - mass import of MWG's CA certificate into users' Firefox trust db?

Hello,

I created a Zip that contains all you need plus an "import.cmd" which tries to import the given root CA into all Firefox profiles found for the current user. I just did a quick test on Windows XP:

- Installed blank Firefox

- Downloaded Zip

- Extracted Zip

- Ran import.cmd

- Checked my certificate was present in Firefox (it is listed as McAfee - Securelabs VM Root CA or similar)

Maybe you can adjust this to your needs and put it on a shared directory or - even better - run it by a login script when a user logs in to his domain account.

You can grab the Zip file from ftp://ftp.webwasher.com/outgoing/andre/FF-CA.zip

Note: This is just a very quickly checked script - no warranties can be given!

best,

Andre

0 Kudos
Regis
Level 12

Re: SSL middling - mass import of MWG's CA certificate into users' Firefox trust db?

Thank you both for helpful answers.  

Asabban - can you shed some light on the origin of the certutil.exe included  in your zip file?   - or does it have to be compiled from source?    

http://support.mozilla.org/en-US/questions/687296    Seems to have more granular instructions on how to create from source  (as well as a megaupload link I certainly wouldn't trust). 

https://developer.mozilla.org/NSS_3.12.6_release_notes  appears to be the latest available Network Security Services  release that'd include certutil.exe   But...fascinatingly,  those 6 and 5 MB files download by way of my Mcafee web gateway as just 4.1kB files for reasons I suppose I'll have to chase down.  *sigh*

0 Kudos
asabban
Level 17

Re: SSL middling - mass import of MWG's CA certificate into users' Firefox trust db?

Hello,

I took all the libraries and the certutil.exe from these files:

ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_10_RTM/WINNT4.0_OPT.OBJ/nss-3.10.z...

and

https://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v4.4.1/WINNT5.0_OPT.OBJ/nspr-4.4.1.zip

The source seemed acceptable to me. There is certainly room for improvement, some more information about possible switches for the certutil.exe is also available from its online help. As mentioned I just clicked it together in few minutes time and wanted to see a result - probably you have (or want to) tweak settings etc.

Best,

Andre

0 Kudos