有没有办法以编程方式将证书安装到mozilla中?我们正在尝试编写所有脚本以消除环境中的偏差,因此通过mozilla首选项手动安装它并不适合我们的需求。 我认为这是使用certutil的方法,但我不确定Mozilla的内部等。
答案 0 :(得分:30)
这是一种不会覆盖现有证书的替代方法: [Linux系统的bash片段]
certificateFile="MyCa.cert.pem"
certificateName="MyCA Name"
for certDB in $(find ~/.mozilla* ~/.thunderbird -name "cert8.db")
do
certDir=$(dirname ${certDB});
#log "mozilla certificate" "install '${certificateName}' in ${certDir}"
certutil -A -n "${certificateName}" -t "TCu,Cuw,Tuw" -i ${certificateFile} -d ${certDir}
done
您可以在libnss3-tools包(debian / ubuntu)中找到certutil。
另见:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil
答案 1 :(得分:23)
最简单的方法是将证书导入示例firefox-profile,然后将cert8.db复制到您希望配备证书的用户。
首先手动将证书导入sample-user的firefox配置文件中。然后复制
/home/${USER}/.mozilla/firefox/${randomalphanum}.default/cert8.db(Linux / Unix)
%userprofile%\Application Data\Mozilla\Firefox\Profiles\%randomalphanum%.default\cert8.db(Windows)
进入用户firefox-profiles。而已。如果您想确保新用户自动获得证书,请将cert8.db复制到:
/etc/firefox-3.0/profile(Linux / Unix)
%programfiles%\firefox-installation-folder\defaults\profile(Windows)
答案 2 :(得分:12)
只是想添加一个老线程,希望能帮助其他人。我需要以编程方式使用GPO将证书添加到firefox数据库,这就是我为Windows做的方法
1,首先下载并解压缩预编译的firefox NSS nss-3.13.5-nspr-4.9.1-compiled-x86.zip
2,手动将证书添加到firefox选项 - >高级 - 证书 - >权限 - >导入
3,从下载的NSS包中运行
certutil -L -d c:\users\[username]\appdata\roaming\mozilla\firefox\[profile].default
4,上面的查询将显示证书名称和信任属性,例如
my company Ltd CT,C,C
5,删除步骤2中的证书。选项 - >高级 - 证书 - >权限 - >删除
6,使用步骤4中的信息创建一个powershell脚本,如下所示。此脚本将获取用户配置文件路径并添加证书。这只适用于用户有一个firefox配置文件(需要以某种方式检索用户firefox文件夹配置文件名称)
#Script adds Radius Certificate to independent Firefox certificate store since the browser does not use the Windows built in certificate store
#Get Firefox profile cert8.db file from users windows profile path
$ProfilePath = "C:\Users\" + $env:username + "\AppData\Roaming\Mozilla\Firefox\Profiles\"
$ProfilePath = $ProfilePath + (Get-ChildItem $ProfilePath | ForEach-Object { $_.Name }).ToString()
#Update firefox cert8.db file with Radius Certificate
certutil -A -n "UK my company" -t "CT,C,C" -i CertNameToAdd.crt -d $ProfilePath
7,将GPO创建为用户配置以运行PowerShell脚本
希望有助于节省时间
答案 3 :(得分:6)
在带有Firefox 10的Windows 7上,cert8.db文件存储在%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\########.default\cert8.db。如果您是管理员,您可以编写一个简单的WMI应用程序将文件复制到用户的相应文件夹。
此外,这个解决方案适用于http://www.appdeploy.com/messageboards/tm.asp?m=52532&mpage=1&key=촴
从NSS zip文件(http://www.mozilla.org/projects/security/pki/nss/tools/)复制CERTUTIL.EXE到C:\Temp\CertImport(我还放置了我要导入的证书)
将NSS zip文件中的所有dll复制到C\:Windows\System32
使用此脚本在%Appdata%\mozilla\firefox\profiles中创建了一个BAT文件...
Set FFProfdir=%Appdata%\mozilla\firefox\profiles
Set CERTDIR=C:\Temp\CertImport
DIR /A:D /B > "%Temp%\FFProfile.txt"
FOR /F "tokens=*" %%i in (%Temp%\FFProfile.txt) do (
CD /d "%FFProfDir%\%%i"
COPY cert8.db cert8.db.orig /y
For %%x in ("%CertDir%\Cert1.crt") do "%Certdir%\certutil.exe" -A -n "Cert1" -i "%%x" -t "TCu,TCu,TCu" -d .
For %%x in ("%CertDir%\Cert2.crt") do "%Certdir%\certutil.exe" -A -n "Cert2" -i "%%x" -t "TCu,TCu,TCu" -d .
)
DEL /f /q "%Temp%\FFProfile.txt"
执行了BAT文件并取得了良好的效果。
答案 4 :(得分:4)
Firefox现在(自58年起)使用SQLite数据库cert9.db而不是旧版cert8.db。 我已经修复了这里提出的解决方案,以使其适用于新版本的Firefox:
certificateFile="MyCa.cert.pem"
certificateName="MyCA Name"
for certDB in $(find ~/.mozilla* ~/.thunderbird -name "cert9.db")
do
certDir=$(dirname ${certDB});
#log "mozilla certificate" "install '${certificateName}' in ${certDir}"
certutil -A -n "${certificateName}" -t "TCu,Cuw,Tuw" -i ${certificateFile} -d sql:${certDir}
done
答案 5 :(得分:1)
我在客户端网站上遇到类似的问题,客户端需要为2000多名Windows用户自动安装授权证书。
我创建了以下.vbs脚本,以将证书导入当前登录的用户firefox证书库。
脚本需要放在包含certutil.exe(nss版本)工作副本的目录中,但是以编程方式确定firefox配置文件的位置。
Option Explicit
On error resume next
Const DEBUGGING = true
const SCRIPT_VERSION = 0.1
Const EVENTLOG_WARNING = 2
Const CERTUTIL_EXCUTABLE = "certutil.exe"
Const ForReading = 1
Dim strCertDirPath, strCertutil, files, slashPosition, dotPosition, strCmd, message
Dim file, filename, filePath, fileExtension
Dim WshShell : Set WshShell = WScript.CreateObject("WScript.Shell")
Dim objFilesystem : Set objFilesystem = CreateObject("Scripting.FileSystemObject")
Dim certificates : Set certificates = CreateObject("Scripting.Dictionary")
Dim objCertDir
Dim UserFirefoxDBDir
Dim UserFirefoxDir
Dim vAPPDATA
Dim objINIFile
Dim strNextLine,Tmppath,intLineFinder, NickName
vAPPDATA = WshShell.ExpandEnvironmentStrings("%APPDATA%")
strCertDirPath = WshShell.CurrentDirectory
strCertutil = strCertDirPath & "\" & CERTUTIL_EXCUTABLE
UserFirefoxDir = vAPPDATA & "\Mozilla\Firefox"
NickName = "Websense Proxy Cert"
Set objINIFile = objFilesystem.OpenTextFile( UserFireFoxDir & "\profiles.ini", ForReading)
Do Until objINIFile.AtEndOfStream
strNextLine = objINIFile.Readline
intLineFinder = InStr(strNextLine, "Path=")
If intLineFinder <> 0 Then
Tmppath = Split(strNextLine,"=")
UserFirefoxDBDir = UserFirefoxDir & "\" & replace(Tmppath(1),"/","\")
End If
Loop
objINIFile.Close
'output UserFirefoxDBDir
If objFilesystem.FolderExists(strCertDirPath) And objFilesystem.FileExists(strCertutil) Then
Set objCertDir = objFilesystem.GetFolder(strCertDirPath)
Set files = objCertDir.Files
For each file in files
slashPosition = InStrRev(file, "\")
dotPosition = InStrRev(file, ".")
fileExtension = Mid(file, dotPosition + 1)
filename = Mid(file, slashPosition + 1, dotPosition - slashPosition - 1)
If LCase(fileExtension) = "cer" Then
strCmd = chr(34) & strCertutil & chr(34) &" -A -a -n " & chr(34) & NickName & chr(34) & " -i " & chr(34) & file & chr(34) & " -t " & chr(34) & "TCu,TCu,TCu" & chr(34) & " -d " & chr(34) & UserFirefoxDBDir & chr(34)
'output(strCmd)
WshShell.Exec(strCmd)
End If
Next
WshShell.LogEvent EVENTLOG_WARNING, "Script: " & WScript.ScriptFullName & " - version:" & SCRIPT_VERSION & vbCrLf & vbCrLf & message
End If
function output(message)
If DEBUGGING Then
Wscript.echo message
End if
End function
Set WshShell = Nothing
Set objFilesystem = Nothing
答案 6 :(得分:1)
我试图在Powershell中实现同样的功能,并编写了一个脚本来执行可以交互选择的各种功能。当然,修改脚本以自动化某些事情而不是提供选项是相当容易的。
我是一名基础设施人员,而不是编码员/程序员,所以如果它有点麻烦(但确实有效),请道歉。
将以下内容另存为PS1:
##################################################################################################
#
# NAME: RegisterFireFoxCertificates.ps1
#
# AUTHOR: Andy Pyne
#
# DATE : 22.07.2015
#
# COMMENT: To provide options for listing, adding, deleting and purging
# FireFox Certificates using Mozilla's NSS Util CertUtil
# Source: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil
#
# NOTE: You need a copy of the NSS Util CertUtil and it's associated dll's
# The specific files I used were:
#
# certutil.exe, fort32.dll, freebl3.dll, libnspr4.dll, libplc4.dll, libplds4.dll, nspr4.dll,
# nss3.dll, nssckbi.dll, nssdbm3.dll, nssutil3.dll, plc4.dll, plds4.dll, smime3.dll,
# softokn3.dll, sqlite3.dll, ssl3.dll, swft32.dll
#
##################################################################################################
##################################################################################################
# Setup a few parameters
$ErrorActionPreference = "Silentlycontinue"
$ExecutionPolicyOriginal = Get-ExecutionPolicy
$FireFoxExecutable = "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe"
# This is the Firefox certificate database
$CertDB = "Cert8.db"
# The Certificate Nickname is a name you want to see on the certificates that you've imported in - so you know they were imported by this process
# However, when you look at the certificates in Firefox, they will be listed under whatever the certificate name was when it was generated
# So if your certificate is listed as 'Company123' when imported, it will still be called that as the Common Name, but when you click to view
# it, you will see that the first item in the Certificate Fields is what you 'nicknamed' it.
$CertificateNickname = "MyCompanyName FF AutoImport Cert"
# The Legacy Certificates are specific/explicit certificates which you wish to delete (The 'purge' option later in the script references these items)
$LegacyCertificates = @("OldCertificate1", "Company Cert XYZ", "Previous Company name", "Unwanted Certificate - 7", "123APTEST123")
# This is the list of databases / Firefox profiles on the machine
$FFDBList = @()
# Making sure our temporary directory is empty
$FFCertLocationLocal = "C:\FFCertTemp"
# The remote location of the certificates and
$FFCertLocationRemote = "\\myUNC\NETLOGON\FireFoxCert\"
# The local CertUtil executable (this is copied from the remote location above)
$FFCertTool = "$FFCertLocationLocal\CertUtil.exe"
# Making sure our temporary directory is empty
Remove-Item $FFCertLocationLocal -Recurse
New-Item -ItemType Directory -Path $FFCertLocationLocal
##################################################################################################
##################################################################################################
Clear
# We're going to get a list of the Firefox processes on the machine that are open and close them
# Otherwise the add/delete parts might not be successful with Firefox still running
$FireFoxRunningProcessesList = Get-Process | Where-Object {$_.Name -Match "FireFox"} | Select-Object ProcessName,Id | Format-Table -AutoSize
$FireFoxRunningProcesses = Get-Process | Where-Object {$_.Name -Match "FireFox"} | Select-Object -ExpandProperty Id
If (!$FireFoxRunningProcesses) {}
Else {
Write-Host "The following processes will be stopped to perform certificate manipulation:"
$FireFoxRunningProcessesList
$TerminateProcessQuestion = Read-Host "To auto-terminate (ungracefully!) processes, press 'Y', otherwise, press any other key"
If ($TerminateProcessQuestion -ne 'y') {
Clear
Write-Host "Cannot continue as Firefox process is still running, ending script ..."
Exit}
Else {ForEach ($FireFoxRunningProcess in $FireFoxRunningProcesses) {
[Int]$FireFoxRunningProcess = [Convert]::ToInt32($FireFoxRunningProcess, 10)
Stop-Process -Id $FireFoxRunningProcess -Force}}
}
##################################################################################################
##################################################################################################
# The remote files (certificates and the NSS Tools CertUtil files are copied locally)
$FFCertificateListItemRemote = Get-ChildItem $FFCertLocationRemote -Recurse -Include *.cer,*.dll,certutil.exe
ForEach ($FFCertificateItemRemote in $FFCertificateListItemRemote) {
Copy-Item $FFCertificateItemRemote.FullName -Destination $FFCertLocationLocal}
# Get a list of the local certificates
$FFCertificateListLocal = Get-ChildItem $FFCertLocationLocal -Recurse -filter *.cer
Clear
Set-ExecutionPolicy "Unrestricted"
# Find all Firefox profiles and create an array called FFDBList
# Of course, you'll only be able to get to the ones your permissions allow
$LocalProfiles = Get-ChildItem "C:\Users" | Select-Object -ExpandProperty FullName
ForEach ($LocalProfile in $LocalProfiles) {
$FFProfile = Get-ChildItem "$LocalProfile\AppData\Roaming\Mozilla\Firefox\Profiles" | Select-Object -ExpandProperty FullName
If (!$FFProfile) {Write-Host "There is no Firefox Profile for $LocalProfile"}
ELSE {$FFDBList += $FFProfile}
}
Clear
Write-Host "#################################"
Write-Host "The List of FireFox Profiles is:"
Write-Host "#################################"
$FFDBList
PAUSE
##################################################################################################
##################################################################################################
# Setup 4x functions (List, Delete, Add and Purge)
#
# - List will simply list certificates from the Firefox profiles
#
# - Delete will delete the certificates the same as the certificates you're going to add back in
# So for example, if you have 2x certificates copied earlier for import, 'CompanyA' and 'CompanyZ'
# then you can delete certificates with these names beforehand. This will prevent the
# certificates you want to import being skipped/duplicated because they already exist
#
# - Add will simply add the list of certificates you've copied locally
#
# - Purge will allow you to delete 'other' certificates that you've manually listed in the
# variable '$LegacyCertificates' at the top of the script
# Each of the functions perform the same 4x basic steps
#
# 1) Do the following 3x things for each of the Firefox profiles
# 2) Do the 2x following things for each of the certificates
# 3) Generate an expression using parameters based on the certificate nickname specified
# earlier, and the profile and certificate informaiton
# 4) Invoke the expression
Function ListCertificates {
Write-Host "#############################"
ForEach ($FFDBItem in $FFDBList) {
$FFCertificateListItemFull = $FFCertificateListItem.FullName
Write-Host "Listing Certificates for $FFDBitem"
$ExpressionToListCerts = "$FFCertTool -L -d `"$FFDBItem`""
Invoke-Expression $ExpressionToListCerts
}
PAUSE}
Function DeleteOldCertificates {
Write-Host "#############################"
ForEach ($FFDBItem in $FFDBList) {
ForEach ($FFCertificateListItem in $FFCertificateListLocal) {
$FFCertificateListItemFull = $FFCertificateListItem.FullName
Write-Host "Deleting Cert $FFCertificateListItem for $FFDBitem"
$ExpressionToDeleteCerts = "$FFCertTool -D -n `"$CertificateNickname`" -d `"$FFDBItem`""
Invoke-Expression $ExpressionToDeleteCerts
}}
PAUSE}
Function AddCertificates {
Write-Host "#############################"
ForEach ($FFDBItem in $FFDBList) {
ForEach ($FFCertificateListItem in $FFCertificateListLocal) {
$FFCertificateListItemFull = $FFCertificateListItem.FullName
Write-Host "Adding $FFCertificateListItem Cert for $FFDBitem"
$ExpressionToAddCerts = "$FFCertTool -A -n `"$CertificateNickname`" -t `"CT,C,C`" -d `"$FFDBItem`" -i `"$FFCertificateListItemFull`""
Write-Host $ExpressionToAddCerts
Invoke-Expression $ExpressionToAddCerts
#PAUSE
}}
PAUSE}
Function PurgeLegacyCertificates {
Write-Host "#############################"
ForEach ($FFDBItem in $FFDBList) {
ForEach ($LegacyCertificateItem in $LegacyCertificates) {
$LegacyCertificateItemFull = $LegacyCertificateItem.FullName
Write-Host "Purging Old Certs ($LegacyCertificateItem) for $FFDBitem"
#$ExpressionToDeleteLegacyCerts = "$FFCertTool -D -n `"$OldCertificate`" -d `"$FFDBItem`""
$ExpressionToDeleteLegacyCerts = "$FFCertTool -D -n `"$LegacyCertificateItem`" -d `"$FFDBItem`""
ForEach ($LegacyCertificate in $LegacyCertificates) {
Invoke-Expression $ExpressionToDeleteLegacyCerts}
}}
PAUSE}
##################################################################################################
##################################################################################################
# Creating a few options to invoke the various functions created above
$CertificateAction = ""
Function CertificateActionSelection {
Do {
Clear
$CertificateAction = Read-Host "Would you like to [L]ist all certificates [D]elete all old certificates, [A]dd new certificates, or [P]urge legacy certificates?"
} Until ($CertificateAction -eq "L" -or $CertificateAction -eq "D" -or $CertificateAction -eq "A" -or $CertificateAction -eq "P" )
If ($CertificateAction -eq "L") {ListCertificates}
If ($CertificateAction -eq "D") {DeleteOldCertificates}
If ($CertificateAction -eq "A") {AddCertificates}
If ($CertificateAction -eq "P") {PurgeLegacyCertificates}
}
Do {
Clear
$MoreCertificateActions = Read-Host "Would you like to [L]aunch Firefox (as $env:USERNAME), take a [C]ertificate action, or [Q]uit?"
If ($MoreCertificateActions -eq "L") {
Invoke-Item $FireFoxExecutable
Exit}
If ($MoreCertificateActions -eq "C") {CertificateActionSelection}
} Until ($MoreCertificateActions -eq "Q")
Remove-Item $FFCertLocationLocal -Recurse
Set-ExecutionPolicy $ExecutionPolicyOriginal
Exit
答案 7 :(得分:0)
Firefox的最新版本支持policies.json文件,该文件将应用于所有Firefox配置文件。
对于CA证书,您有some options,这是一个示例,已在Linux / Ubuntu上进行了测试,其中我已经在/usr/local/share/ca-certificates中拥有系统范围的CA证书:
在/usr/lib/firefox/distribution/policies.json
{
"policies": {
"Certificates": {
"Install": [
"/usr/local/share/ca-certificates/my-custom-root-ca.crt"
]
}
}
对Thunderbird的支持为on its way。
答案 8 :(得分:0)
我有 this awesome answer 的更新(只是不再使用上次的 Firefox 更新),在同一线程中,由 H.-Dirk Schmitt 制作,也感谢 this other thread 中的回答来自BecarioEstrella。
我只是根据最近的变化调整了脚本。
2021 年仅在 Firefox 85.0.1(64 位)和 Ubuntu 20.04 和 18.04 中进行测试。
#!/usr/bin/env bash
function usage {
echo "Error: no certificate filename or name supplied."
echo "Usage: $ ./installcerts.sh <certname>.pem <Cert-DB-Name>"
exit 1
}
if [ -z "$1" ] || [ -z "$2" ]
then
usage
fi
certificate_file="$1"
certificate_name="$2"
for certDB in $(find ~/.mozilla* ~/.thunderbird -name "cert9.db")
do
cert_dir=$(dirname ${certDB});
echo "Mozilla Firefox certificate" "install '${certificate_name}' in ${cert_dir}"
certutil -A -n "${certificate_name}" -t "TCu,Cuw,Tuw" -i ${certificate_file} -d sql:"${cert_dir}"
done
如果您只想要 Firefox,请替换该行:
for certDB in $(find ~/.mozilla* ~/.thunderbird -name "cert9.db")
通过
for certDB in $(find ~/.mozilla* -name "cert9.db")
进一步阅读: