0

With the latest upgrade of Firefox (version 58), our product install has begun "failing" on Firefox. Basically, our installer code will query Firefox to see if our cert is already installed with nss-certutil -L -n name and if it is not found we then install the cert with nss-certutil -A ....

This is a "root" cert that we have self signed, and is only used for communication with a local node server. This has worked fine up until now (I can duplicate in version 58 .. maybe 57 as well going by some customer reports). The install script runs without error but Firefox can not connect using the secure connection to the node server.

Looking at the list of installed certs from options/security/certificates it's not there, but if I run the nss-certutil -L -n name it is listed.

Evidently the profiles have changed in version 58 but I can not find anything that would relate to this.

Another piece of info is I can manually import the cert, and that works, so the cert itself seems to be fine.

Puzzled and out of ideas. Any thoughts?

Jason Aller
  • 3,541
  • 28
  • 38
  • 38
Bill
  • 1
  • 2

1 Answers1

0

It looks like latest FF uses SQL Lite database for certificate trust, but nss-certutil by default uses legacy format.

You need to specify explicit 'sql:' prefix before FF profile path. Example:

-A -n "Test CA" -i "C:\test\ca1.cer" -t "CT,," -d sql:"C:\Users\test\AppData\Roaming\Mozilla\Firefox\Profiles\mgr140m4.default"

Please refer
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Reference/NSS_tools_:_certutil and -d option description

ElasticCode
  • 7,311
  • 2
  • 34
  • 45
LAT
  • 11
  • 3