8

I have a large number of workstations that run RedHat Enterprise Linux 5 and 6. I'd like to deploy our new internal CA (Active Directory) to these machines. I can manually import the certificate into Firefox 10 without any issues, but I can't seem to find where to store the .cer file on the filesystem so that it will be used by FireFox and Google Chrome. Is there a central location for trusted CAs that is used by both of these browsers?

If not, I'd settle for a more-automated way to have FireFox accept my CA.

Stuff I've Tried

  • Using the Mozilla-provided certutil - but this seems to only deal with client-side certificates, unless I am mistaken.
  • Modifying /etc/pki/tls/ca-bundle.crt included in the ca-certificates package. Firefox does not appear to honor this file.
Kyle Smith
  • 9,563
  • 1
  • 30
  • 32
  • Never used it myself, but Firefox comes with a tool called `certutil` (http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html). I think that can do what you need, for Firefox at least. – Kenny Rasschaert May 07 '12 at 17:22
  • From some initial poking it looks like the NSS DB does not contain CA's, but rather client-side certificates. – Kyle Smith May 07 '12 at 17:26

1 Answers1

3

For Firefox: FF stores the certificate in the user profile, you have to import the certificate for each profile on each box. For trusted CA's, the certificate should be in PEM format, and imported using the certutil command (available in nss-tools package on RedHat):

You can use this command to list the certificates:

certutil -L -d ~/.mozilla/firefox/[profile]

Then, the certificate can be imported using:

certutil -A -n 'Certificate Name' -t CT,, -d ~/.mozilla/firefox/[profile] < /path/to/certificate.pem

See http://www.dzhang.com/blog/2011/01/29/importing-exporting-firefox-certificates-from-command-line for details.

According to the chromium wiki you can use certutil for chromium. I don't know if this will work for the stock chrome too.

With a little bit of scripting it should be possible to automatically deploy your AD certificate authority in this environment.

Kyle Smith
  • 9,563
  • 1
  • 30
  • 32
ercpe
  • 566
  • 3
  • 15
  • Thanks for this answer, it looks very promising. As soon as I have some spare moments I'll be happy to test and give you a bright green checkmark! – Kyle Smith May 09 '12 at 18:06
  • Thanks for pointing me in the right direction. Seems like `pk12util` and pkcs12 format certificates are for client-side authentication, but this did get me started looking at `certutil` which can modify the CA trust. I'll edit the answer with some more information, if you're curious. – Kyle Smith May 11 '12 at 14:24