Because Thunderbird is based on the same platform as Firefox, you should be able to use the same tools as Firefox would use.
There are several options of tools you can use, in order of simplest to most complex:
1. It may be built-in!
Thunderbird has experimental support for auto-importing certificates from the OS Certificate store.
Here's how to enable it manually:
- Open the menu and click 'Options'
- Go to the 'Advanced' tab
- Click 'Config Editor'
- Click 'I accept the risk!' if prompted to do so.
- Search for
security.enterprise_roots.enabled
- Double-click
security.enterprise_roots.enabled to set it to true.
You can automate this by deploying a config file to the computers.
2. Deploy a default profile
You can add the certificate to your own profile, then copy your profile's cert8.db file to the main program folder. Any new profile that is created on the computer will then use that version of cert8.db.
Unfortunately, this will not help for any user who has already opened Thunderbird because their profiles have already been created.
See https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Thunderbird_Enterprise_Tips#Using_a_private_CA_certificate for more info.
3. Deploy a config file
As mentioned and linked above in option #1, Mozilla products support deploying a configuration file in C:\Program Files (possibly x86)\Mozilla Thunderbird\defaults\pref\autoconfig.js.
You can put a script in that file which adds your certificate to the certificate store. Here's an example:
var cert = "MIIHPT...zTMVD"; // This should be the certificate content with no line breaks at all.
var observer = {
observe: function observe(aSubject, aTopic, aData) {
var certdb = Components.classes["@mozilla.org/security/x509certdb;1"].getService(Components.interfaces.nsIX509CertDB);
var certdb2 = certdb;
try {
certdb2 = Components.classes["@mozilla.org/security/x509certdb;1"].getService(Components.interfaces.nsIX509CertDB2);
} catch (e) {}
certdb2.addCertFromBase64(cert, "C,C,C", "");
}
}
Components.utils.import("resource://gre/modules/Services.jsm");
Services.obs.addObserver(observer, "profile-after-change", false);
4. Mozilla's certutil executable
You can create a login script that runs certutil to add the certificate to the user's profile. This forum post has an example script (for Firefox), of which the important part is copied below (with modifications for Thunderbird):
strAppDataDir = WshShell.ExpandEnvironmentStrings("%APPDATA%")
strThunderbirdProfilesDir = strAppDataDir & "\Thunderbird\Profiles\"
Set arrThunderbirdProfileList = objFSO.GetFolder(strThunderbirdProfilesDir).SubFolders
For Each ThunderbirdProfile In arrThunderbirdProfileList
'Create a backup of the old cert8.db file. This line is optional.
objFSO.CopyFile ThunderbirdProfile & "\cert8.db" , ThunderbirdProfile & "\cert8.db.old", OverWriteFiles
'Add the local CA certificate to cert8.db and assign appropriate trust levels.
Call WshShell.Run(strCertutilPath & " -A -n " & Chr(34) & strLocalCertificateAuthorityName & Chr(34) & " -i " & strCertificateFilePath & " -t " & Chr(34) & strTrustAttributes & Chr(34) & " -d " & Chr(34) & ThunderbirdProfile & Chr(34), 0, true)
Next
(Note: Do not confuse this with Microsoft's program of the same name)
5. You can use a management tool
CCK2 is a third-party management tool for Mozilla products. See its documentation for more details.
