2

I want to add a certificate to the CAs that Firefox trusts, before any user profile exists, on RHEL 6 (or CentOS, or Scientific Linux... would expect it to be the same).

I know how to add a certificate to an existing user profile. I don't need to do that at all. I want to do this during a kickstart (unattended, don't want to start X), so I can't really start up Firefox for the user, create a profile, and add it the normal way. I need the certificate to be there the first time a user on the system opens Firefox.

I know that there is no system store of CAs that Firefox reads in addition to the user profile (though it evidently has an internal store somewhere as it trusts way more than what's in the user profile). That's OK, I just want the user profile to be created with the certificate already added.

I have seen some indication that this is possible, or was possible. E.g. https://support.mozilla.org/en-US/questions/967376 indicates where to put the cert8.db under Windows; https://askubuntu.com/questions/244582/add-certificate-authorities-system-wide-on-firefox/369858#369858 indicates that /etc/firefox-3.0/profile worked on Ubuntu (there is no such location under RHEL).

I can't determine where to do this under RHEL 6. I've tried adding a certificate database using certutil under the following directories, which were owned by the firefox RPM and seemed promising:

/usr/lib64/firefox/browser
/usr/lib64/firefox/browser/defaults
/usr/lib64/firefox/defaults

... but still, when a user profile is created, certutil indicates the same contents:

certutil -L -d .mozilla/firefox/*.default/
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
VeriSign Class 3 Secure Server CA - G3                       ,,   
DigiCert High Assurance EV CA-1                              ,,   
Google Internet Authority G2                                 ,,

I can't even tell where those certificates are coming from; it might be helpful to do even that much.

Community
  • 1
  • 1
sosiouxme
  • 1,226
  • 16
  • 26
  • Does adding the cert to `/etc/pki/nssdb/cert8.db` do anything useful here? The NSS default certificates (I don't know about those specifically) are in the `/usr/lib64/libnssckbi.so` library by the way. – Etan Reisner May 07 '14 at 15:42
  • I did actually try that; unfortunately it does not seem to affect FireFox. Good thought though... – sosiouxme May 07 '14 at 18:33

1 Answers1

2

I do not think that you can do what you are trying to do without altering a user's defaults. The reason why I say this is because of how Mozilla bundles their default set of Root CA's. see How Mozilla Products Respond to User Changes of Root Certificates

the Mozilla Foundation and its wholly-owned subsidiary the Mozilla Corporation include with such software a default set of X.509v3 certificates for various Certification Authorities (CAs).

However with that said you could use Skeleton Files to define a set of defaults for all of your users, and follow the same process that Mozilla outlines, by simply providing your defaults as a thing each user already has when their profile is created.

sosiouxme
  • 1,226
  • 16
  • 26
Eric Rich
  • 507
  • 2
  • 7
  • This would work, but I would need to create a Firefox profile beforehand and download it during the kickstart, since you can't create with Firefox without X. It would be less ugly if there were a way to do that, or have Firefox use defaults I specify when creating a profile. – sosiouxme May 07 '14 at 14:41
  • 1
    Actually, Firefox will create the rest of the profile if I just create .mozilla/firefox/default.profile/cert8.db and profiles.ini to point to it. Then the only issue is that I have a known profile location, which is perhaps a minor security concern. – sosiouxme May 07 '14 at 15:23