Ubuntu – Add certificate authorities system-wide on Firefox

certificatesfirefox

I want to add some root CAs that doesn't come with the default firefox on Ubuntu, but I don't know how.

I tried adding them to the local certificates with certutil, but it didn't work. It messed up my certificates database.

$ certutil -A -d .mozilla/firefox/kek3dogy.default/ -i /usr/local/share/ca-certificates/FNMT_ACRAIZ.crt -n "Certificado Raiz FNMT" -t "TCu,Cuw,Tuw"

and then

$ certutil -L -d .mozilla/firefox/kek3dogy.default/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Go Daddy Secure Certification Authority                      ,,   
VeriSign Class 3 Secure Server CA - G3                       ,,   
VeriSign Class 3 Extended Validation SSL CA                  ,,   
DigiCert High Assurance CA-3                                 ,,   
GlobalSign Domain Validation CA - G2                         ,,   
GeoTrust SSL CA                                              ,,   
StartCom Class 2 Primary Intermediate Server CA              ,,   
Google Internet Authority                                    ,,   
Certificado Raiz FNMT                                        CT,C,c
USERTrust Legacy Secure Server CA                            ,,   
HP Jetdirect 2B0EAD20                                        ,,   
Akamai Subordinate CA 3                                      ,,   
VeriSign, Inc.                                               ,,   
Thawte SGC CA                                                ,,   
VeriSign Class 3 Secure Server CA - G2                       ,,

The certificate won't show up on Firefox. I tried this several times, even deleting the profile, and it showed up once on the Firefox interface, but completely empty.

Anyways, that's only for a user, and I want to add them system-wide. Is there a system-wide database I can modify? How?

If there is no system-wide database I can modify, I can rely on a X start script (as /etc/X11/Xsession.d/ ones, or a script called by the xdg autostart system on /etc/xdg/autostart/) to modify the user profile at session start, but I need a solution that works. I can't even load certificates on the user profiles from the command line now!

Best Answer

The problem here is that Firefox does not have a 'central' location where it looks for certificates. It just looks into the current profile. That's why modifying /usr/share/ca-certificates or other similar directories won't work with Firefox. This is something that has been requested for years; see issues 620373, 449498 and 454036 (and probably there are many others).

So you are left with just two kind of solutions: either modify each profile, or modify the behaviour of Firefox. I know this is not what you are looking for, but there are no ways because Firefox only looks at users' profiles.

Having said that, the solution I would choose is using hard or symbolic links, specifically I'd go with hardlinks. This solution is surely the easiest and probably the better, though I don't have enough information to judge.

What you have to do is basically removing each cert8.db and key3.db files for each profile and replace them with links to the "most complete" cert8.db and key3.db. If you go with hardlinks, the original cert8.db and key3.db will be indistinguishable from the new ones.

Remember to adjust permissions to fit your needs. Most likely, you will need to chmod a+rw so that everybody will be able to add/remove a certificate. If you want only certain users to be able to add/remove certificates, you can create a group, assign the two databases to that group and give +w permission just to the group.

Related Solutions

Ubuntu – Importing PKCS#12 (.p12) files into Firefox From the Command Line

Thanks for the reply, As it happens over the last 24hr i have tracked down why this was not working.

I tested the same c ommand on Suse, Debian 6 and fedora, and it worked fine on all of them which i found a bit strange, however once i updated Ubuntu 10.04 it worked. so i checked what the last updated had supplied, and it seems the recent OpenSSL update has resolved this issue.

To confirm this, once back in the office i installed the same open SSL update, and it all worked fine.

As a final check i tried this on a fresh Ubuntu 10.04.1 install, it failes, run updates it works..

to be very specific. the pk12 command

pk12util -d /home/df001/.mozilla/firefox/qe5y5lht.tc.default/ -i client.p12

works

Ubuntu – Setting system wide preferences in Firefox

Firefox generally reads its settings from ~/.mozilla/firefox, so if you have the settings in a shared location, once that folder has been created, Firefox will ignore your shared settings. What you could do however is take a look at the addon xulet-ubufox used by Ubuntu to modify Firefox settings (it is installed by default), and see how that gets it done.

Another option, if the systems do not yet have user accounts set up (or if you can recreate the accounts), is to put a customized ~/.mozilla/firefox folder in /etc/skel. This will be copied to all new accounts.

A third, possibly easier option, is to create the customized defaults, package them in a deb that points to some shared location like /usr/share/firefox-defaults, and then copy these settings on startup (of the user profiles) to ~/.mozilla/firefox. I don't know the full technical details of accomplishing this, but I believe it should be possible to do it by adding something to /etc/rc.local

Another way to get this ~/.mozilla/firefox re-initialised on every login could be by making a 'login-script', activated by the pam-script module. See here for more info on how to use it.

Best Answer

Related Solutions

Ubuntu – Importing PKCS#12 (.p12) files into Firefox From the Command Line

Ubuntu – Setting system wide preferences in Firefox

Related Question