Deploy root certificate to Firefox on Mac OS X

I want to know how to deploy a root certificates for the Firefox on Mac OS X. I've found some solutions to do it on Windows and it works like a charm. Now I want to do the same on Mac OS X. we have many clients with this OS and it would be very wasteful if we have to do it manually on the clients. I'm looking for a solution where I don't have to make any user inputs an the machine.

I've found the OS X alternative to certutil -> security but with security I can only add the certificate to the keychain. It seems like that Firefox don't use the keyhain to check the certificates.

How can I add the certificate to the user specific cert-store?

Michael Walter

Posted 2013-07-19T09:13:25.143

Reputation: 221

Just for those stumbling here via a search and trying to add a root CA to the system store on macOS: sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" ca.crt will do the trick from the command line – None – 2018-11-12T02:56:51.323

Answers

Firefox uses its own certificate-storage. So if you add a certificate to one firefox you should be able to determine the changed file(s) inside the users firefox-profile and deploy them to every other user. Alternatively find the main certificate store inside the Firefox.app and replace that with a certificate store containing your root cert.

UPDATE

The file you are interested in is ~/Library/Application Support/Firefox/Profiles/[profile-id]/cert8.db. Have a look at https://sadique.io/blog/2012/06/05/managing-security-certificates-from-the-console-on-windows-mac-os-x-and-linux/ for more informations. Scroll down to the Firefox-section.

The downside on that approach is that the user might loose already added root-certificates.

heiglandreas

Posted 2013-07-19T09:13:25.143

Reputation: 1 153

That link is now dead. – Jouni K. Seppänen – 2015-06-22T11:48:35.660

@JouniK.Seppänen - Thanks for informing: I've updated the link ;) – heiglandreas – 2015-06-22T12:03:28.030

Hello @JouniK.Seppänen, I am the author of the blog post. I moved my blog's address and the article is currently at http://sdqali.in/blog/2012/06/05/managing-security-certificates-from-the-console---on-windows-mac-os-x-and-linux/

– sdqali – 2016-07-03T18:51:33.560

1Easier is the answer from @cantonese, super easy, clean and makes firefox use the system certificates. – None – 2018-11-12T02:50:37.817

Starting Firefox 63, you can set security.enterprise_roots.enabled to true (via about:config) to configure Firefox to use OS Keychain for trusted root certificates store.

This will not be back-ported to Firefox 60 ESR.

For additional information, see this bug report 1300420

cantonese

Posted 2013-07-19T09:13:25.143

Reputation: 41

This works, is easy and above all CLEAN – None – 2018-11-12T02:47:34.117

Spend a half day, however, solve the problem!

The link in the previous answer to the deleted blog record suggests to replace cert8.db with premade one - it is very bad idea as user will lose all already accepted certificates.

Certificates have to be added to the cert8.db with use of NSS Tool - certutil.

And I successfully managed to build the latest version of NSS Tool 3.23 on Mac OS - El Capitan You can download archive from my DropBox

Hope it would help to others

Briksins

Posted 2013-07-19T09:13:25.143

Reputation: 101

1FYI: brew now has it – A T – 2017-10-05T10:49:10.857

5brew has certutil under the nss package – Just Jake – 2017-10-05T23:56:22.033