<div dir="ltr">Hi Todd.<div><br></div><div>It seems that this tool is only for PFX/P12 exports of the cert - my web team is not going to give me the private keys to the cert, do you know of any other way of getting the web browser to trust a cert with just having access to a cer file?</div><div><br></div><div>Thank you!</div><div><div style="font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;color:rgb(0,0,0);word-wrap:break-word"><br></div><div style="font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;color:rgb(0,0,0);word-wrap:break-word">------------------------------<wbr>-----------------------------<br style="font-family:Helvetica;font-size:14px"><span style="font-family:Helvetica;font-size:14px"><br></span></div><div style="font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;color:rgb(0,0,0);word-wrap:break-word"><span style="font-family:Helvetica;font-size:14px">Ben Bass, </span></div><div style="font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;color:rgb(0,0,0);word-wrap:break-word"><span style="font-family:Helvetica;font-size:14px">Jamf; CCT, CCA, CJA, CCE</span></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;word-wrap:break-word"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:14px">SANS;</span><font color="#000000" face="Helvetica"><span style="font-size:14px"> <a href="https://www.youracclaim.com/badges/f4d7c7e5-a7d1-42e4-8086-aafaed29deba" target="_blank" style="color:rgb(17,85,204)">GSEC</a></span></font></div><div style="font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;color:rgb(0,0,0);word-wrap:break-word"><span style="font-family:Helvetica;font-size:14px">Macintosh Client Security Systems Engineer</span><br style="font-family:Helvetica;font-size:14px"><span style="font-family:Helvetica;font-size:14px"><a value="+19175360998" style="color:rgb(17,85,204)">(917) 536-0998</a></span><br style="font-family:Helvetica;font-size:14px"><span style="font-family:Helvetica;font-size:14px"><a href="mailto:ben@benbass.com" target="_blank" style="color:rgb(17,85,204)">ben@benbass.com</a></span></div><br></div><div><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, May 23, 2018 at 12:36 PM, Houle, Todd - 1120 - MITLL <span dir="ltr"><<a href="mailto:Todd.Houle@ll.mit.edu" target="_blank">Todd.Houle@ll.mit.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="purple"><div class="m_1206269761409916848m_-9149642888344253475WordSection1"><p class="m_1206269761409916848m_-9149642888344253475p1">I use pk12util to add certs to firefox cert database.  pk12util is part of Mozilla’s NSS tools (<a href="https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools" target="_blank">https://developer.mozilla.org<wbr>/en-US/docs/Mozilla/Projects/<wbr>NSS/tools</a>). You could use homebrew to get them, but I prefer to compile myself.<u></u><u></u></p><p class="m_1206269761409916848m_-9149642888344253475p1"><u></u> <u></u></p><p class="m_1206269761409916848m_-9149642888344253475p2"><span class="m_1206269761409916848m_-9149642888344253475s1">SCRIPTPATH=</span>"$( cd "<span class="m_1206269761409916848m_-9149642888344253475s1">$(dirname </span>"$0"<span class="m_1206269761409916848m_-9149642888344253475s1">)</span>" ; pwd -P )"<u></u><u></u></p><p class="m_1206269761409916848m_-9149642888344253475p3">ffProfileShortPath=$(cat $HOME/Library/Application\ Support/Firefox/profiles.ini |grep Path |awk -F= <span class="m_1206269761409916848m_-9149642888344253475s2">'{print $2}'</span>|head <span class="m_1206269761409916848m_-9149642888344253475s3">-1</span>)<u></u><u></u></p><p class="m_1206269761409916848m_-9149642888344253475p4"><u></u> <u></u></p><p class="m_1206269761409916848m_-9149642888344253475p2"><span class="m_1206269761409916848m_-9149642888344253475s1">fProfileFullPath=</span>"$HOME/Librar<wbr>y/Application Support/Firefox/$ffProfileShor<wbr>tPath/"<u></u><u></u></p><p class="m_1206269761409916848m_-9149642888344253475p2">"$SCRIPTPATH/pkutil/pk12util"<span class="m_1206269761409916848m_-9149642888344253475s1"> -i newcert.pfx -W </span>"${cert_password}"<span class="m_1206269761409916848m_-9149642888344253475s1"> -d </span>"$ffProfileFullPath"<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Todd<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in"><p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black">Enterprise <<a href="mailto:enterprise-bounces@mozilla.org" target="_blank">enterprise-bounces@mozilla.or<wbr>g</a>> on behalf of Ben Bass <<a href="mailto:ben@benbass.com" target="_blank">ben@benbass.com</a>><br><b>Date: </b>Wednesday, May 23, 2018 at 12:30 PM<br><b>To: </b>enterprise <<a href="mailto:enterprise@mozilla.org" target="_blank">enterprise@mozilla.org</a>><br><b>Subject: </b>[Mozilla Enterprise] Adding certificates to FF for Mac<u></u><u></u></span></p></div><span><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal"><a name="m_1206269761409916848_m_-9149642888344253475__MailOriginalBody">Hi everyone. <u></u><u></u></a></p><div><p class="MsoNormal"><span><u></u> <u></u></span></p></div><div><p class="MsoNormal"><span>We have been tasked with adding some of our internal Root CA's to allow FireFox to use these certificates.  <u></u><u></u></span></p></div><div><p class="MsoNormal"><span><u></u> <u></u></span></p></div><div><p class="MsoNormal"><span>We are still adding the certificates to the keychain, but cannot find a way to get FF for mac to use the keychain.  I started down the autoconfig path but see that that method will run into issues in FF 62, and we don't want to develop a short term solution unless absolutely necessary.<u></u><u></u></span></p></div><div><p class="MsoNormal"><span><u></u> <u></u></span></p></div><div><p class="MsoNormal"><span>So my question is, what is the best way to get Firefox for Mac (ESR or regular release) to either use the system keychain, or a way to install/configure the certificates via another method?<u></u><u></u></span></p></div><div><p class="MsoNormal"><span><u></u> <u></u></span></p></div><div><p class="MsoNormal"><span>Thank you!<br clear="all"><u></u><u></u></span></p><div><div><div><div><div><div><div><div><div><div><div><p class="MsoNormal"><span><span style="color:black"><u></u> <u></u></span></span></p></div></div></div></div></div></div></div></div></div></div></div></div></div></span></div></div>
<br>______________________________<wbr>_________________<br>
Enterprise mailing list<br>
<a href="mailto:Enterprise@mozilla.org" target="_blank">Enterprise@mozilla.org</a><br>
<a href="https://mail.mozilla.org/listinfo/enterprise" rel="noreferrer" target="_blank">https://mail.mozilla.org/listi<wbr>nfo/enterprise</a><br>
<br>
To unsubscribe from this list, please visit <a href="https://mail.mozilla.org/listinfo/enterprise" rel="noreferrer" target="_blank">https://mail.mozilla.org/listi<wbr>nfo/enterprise</a> or send an email to <a href="mailto:enterprise-request@mozilla.org" target="_blank">enterprise-request@mozilla.org</a> with a subject of "unsubscribe"<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="m_1206269761409916848gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div style="color:rgb(0,0,0);word-wrap:break-word"><br></div></div></div></div></div></div></div></div></div>
</div></div>