[Mozilla Enterprise] Adding certificates to FF for Mac
Ben Bass
ben at benbass.com
Wed May 23 22:05:50 UTC 2018
Hi Mike.
Thank you for pointing me to certutil. Do you know of any easy way to
build the binary on a mac so it can be run on multiple machines without
installing homebrew? I haven't ever used mercurial and am just trying to
have this run once on each of the machines we manage.
Or if there is an easier method, I am all ears.
At the end of the day I just want to add certificates to the Macs so they
don't get untrusted cert errors.
Thank you!
On Wed, May 23, 2018 at 3:16 PM, Mike Kaply <mkaply at mozilla.com> wrote:
> You can use certutil to just add the cert to the Firefox DB.
>
> I'm also working on adding cert import support to our policy engine.
>
> Mike
>
> On Wed, May 23, 2018 at 2:13 PM, Ben Bass <ben at benbass.com> wrote:
>
>> Hi Todd.
>>
>> It seems that this tool is only for PFX/P12 exports of the cert - my web
>> team is not going to give me the private keys to the cert, do you know of
>> any other way of getting the web browser to trust a cert with just having
>> access to a cer file?
>>
>> Thank you!
>>
>> -----------------------------------------------------------
>>
>> Ben Bass,
>> Jamf; CCT, CCA, CJA, CCE
>> SANS; GSEC
>> <https://www.youracclaim.com/badges/f4d7c7e5-a7d1-42e4-8086-aafaed29deba>
>> Macintosh Client Security Systems Engineer
>> (917) 536-0998
>> ben at benbass.com
>>
>>
>>
>> On Wed, May 23, 2018 at 12:36 PM, Houle, Todd - 1120 - MITLL <
>> Todd.Houle at ll.mit.edu> wrote:
>>
>>> I use pk12util to add certs to firefox cert database. pk12util is part
>>> of Mozilla’s NSS tools (https://developer.mozilla.org
>>> /en-US/docs/Mozilla/Projects/NSS/tools). You could use homebrew to get
>>> them, but I prefer to compile myself.
>>>
>>>
>>>
>>> SCRIPTPATH="$( cd "$(dirname "$0")" ; pwd -P )"
>>>
>>> ffProfileShortPath=$(cat $HOME/Library/Application\
>>> Support/Firefox/profiles.ini |grep Path |awk -F= '{print $2}'|head -1)
>>>
>>>
>>>
>>> fProfileFullPath="$HOME/Library/Application
>>> Support/Firefox/$ffProfileShortPath/"
>>>
>>> "$SCRIPTPATH/pkutil/pk12util" -i newcert.pfx -W "${cert_password}" -d
>>> "$ffProfileFullPath"
>>>
>>>
>>>
>>> Todd
>>>
>>>
>>>
>>> *From: *Enterprise <enterprise-bounces at mozilla.org> on behalf of Ben
>>> Bass <ben at benbass.com>
>>> *Date: *Wednesday, May 23, 2018 at 12:30 PM
>>> *To: *enterprise <enterprise at mozilla.org>
>>> *Subject: *[Mozilla Enterprise] Adding certificates to FF for Mac
>>>
>>>
>>>
>>> Hi everyone.
>>>
>>>
>>>
>>> We have been tasked with adding some of our internal Root CA's to allow
>>> FireFox to use these certificates.
>>>
>>>
>>>
>>> We are still adding the certificates to the keychain, but cannot find a
>>> way to get FF for mac to use the keychain. I started down the autoconfig
>>> path but see that that method will run into issues in FF 62, and we don't
>>> want to develop a short term solution unless absolutely necessary.
>>>
>>>
>>>
>>> So my question is, what is the best way to get Firefox for Mac (ESR or
>>> regular release) to either use the system keychain, or a way to
>>> install/configure the certificates via another method?
>>>
>>>
>>>
>>> Thank you!
>>>
>>>
>>>
>>> _______________________________________________
>>> Enterprise mailing list
>>> Enterprise at mozilla.org
>>> https://mail.mozilla.org/listinfo/enterprise
>>>
>>> To unsubscribe from this list, please visit
>>> https://mail.mozilla.org/listinfo/enterprise or send an email to
>>> enterprise-request at mozilla.org with a subject of "unsubscribe"
>>>
>>
>>
>>
>> --
>>
>>
>> _______________________________________________
>> Enterprise mailing list
>> Enterprise at mozilla.org
>> https://mail.mozilla.org/listinfo/enterprise
>>
>> To unsubscribe from this list, please visit
>> https://mail.mozilla.org/listinfo/enterprise or send an email to
>> enterprise-request at mozilla.org with a subject of "unsubscribe"
>>
>
>
--
-----------------------------------------------------------
Ben Bass,
Jamf; CCT, CCA, CJA, CCE
SANS; GSEC
<https://www.youracclaim.com/badges/f4d7c7e5-a7d1-42e4-8086-aafaed29deba>
Macintosh Client Security Systems Engineer
(917) 536-0998
ben at benbass.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/enterprise/attachments/20180523/8861f885/attachment-0002.html>
More information about the Enterprise
mailing list