Tuesday, December 11, 2012

Adding an internal root/CA Cert to Firefox

I swear I added a CA cert to Firefox 1.5 via Netware back in the day, but the more I think about it, the more I recall Netware's application deployment was far better than Microsoft's.  In any case I've found a lot of info and some bad scripts, which I'm compiling and fixing for your benefit.

I have to add that batch file writing skills are sorely lacking these days.  Wow.  A lot of copy/pasting without really understanding what basic variables are.

If you're starting from scratch, you'll probably just want the ESR release of Firefox, then the CCK Wizard to add your cert and any other changes and create an XPI Extension.  Then goto FrontMotion and throw it all together in an MSI.

Firefox uses it's own certificate store.  The reason being is that Mozilla has stricter requirements than Microsoft does when it comes to allowing Root certificates to be deployed.  Ok.  I'll buy that. Mozilla also argues that Windows Update can deploy certificates without user's warning.  Hrm... I don't really buy that outside of home use (where a user would have no clue ANYWAYS).
Typically in a Corporate environment updates are controlled and pushed to the end user.  We're already running Microsoft software, I don't quite see any additional harm in allowing Microsoft to push new certs as well.  In fact, I've been on a Security Team that was blamed for certificate issues in a large company when the Windows team held back a certificate update, and everyone's root expired :/

In any case, in Firefox we're stuck with manually updating the certificate store on every instance. At least you can use FrontMotion to install and update Firefox (and the latest Flash).  Supposedly FrontMotion will install a Base64 cert if you create your own package, but that only worked once for me and while the cert was imported it wasn't trusted for anything :/

In order to distribute new/internal root certs to your users, you need to gather some tools and write a batch file.
 First -  certutil.zip  This is the exe's and dll's needed to modify the Mozilla certifiate store
 Second -  create your batch file:

if not exist k:\ exit
 Set CERTDIR=k:\gpinstall\certutil
REM Set CERTDIR=c:\Temp\CertImport
Set FFProfdir=%Appdata%\mozilla\firefox\profiles
DIR /A:D /B %FFProfdir% > "%Temp%\FFProfile.txt"

FOR /F "tokens=*" %%i in (%Temp%\FFProfile.txt) do (

CD /d "%FFProfDir%\%%i"
COPY cert8.db cert8.db.orig /y

%CertDir%\certutil.exe -A -n "Cert1Name" -i "%CertDir%\Cert1.crt" -t "TCu,TCu,TCu" -d .

%CertDir%\certutil.exe -A -n "Cert2Name" -i "%CertDir%\Cert2.crt" -t "TCu,TCu,TCu" -d .
DEL /f /q "%Temp%\FFProfile.txt"

Make sure CERTDIR is set to a mapped share location.  It should contain the contents of certutil.zip, your certificate(s) and your batch file. Temporarily map that share if you need to, or get more creative and copy all the files from a share location to a local temp folder.  I leave that exercise to the reader.

Make sure "Cert1.crt" refers to your actual certificate's file name, and "Cert1" is the real certificate name.  If you are unsure of the certificate name, manually import the certificate into Firefox and find it under Tools, Options, Encryption.

That's it.  Run your batch file, and it should import.  Add it to your login script to import your root cert for everyone.