Ubuntu – Importing PKCS#12 (.p12) files into Firefox From the Command Line

command linefirefoxSecurity

I've posted this question up on #Ubuntu and #Firefox Forums, and really could do with some help.. Anyone know where i could look or help with the answer. I'm hoping the power of social media will come through…
I have a need to perform the following action:

Firefox 3.6.x:


open Edit -> Preferences -> Advanced -> Encryption -> View Certificates -> Your Certificates -> Import
However i need the same functionality from the bash command line.

So far I've established that the following command is supposed to be used:

certutil -A -t “u,u,u” -d /home/df001/.mozilla/firefox/qe5y5lht.tc.default/ -n “mycert” -i client.p12

This executes with no isses, however, doesn't show up in any Firefox Certificate store.

However, I have noted that prior to running this command, i have a cert8.db key3.db and secmod.db file in the above folder. After running the command the certutil seems to have created a cert9.db, key4.db and pkcs12.txt file

Listing the contents using the command:

certutil -L -d sql:/home/df001/.mozilla/firefox/qe5y5lht.tc.default/

does seem to confirm my attempts of importing files into a certificate folder of some kind have worked. because i get

Certificate Nickname Trust Attributes

Thawte SSL CA „ Go Daddy Secure
Certification Authority „ Thawte SGC
CA „ Entrust Certification Authority
– L1C „ My Nero CT,C,c mynero P„ davidfield – Internet Widgits Pty Ltd

So, having tried this, and heading back over to the internet, I came across this command:

pk12util -d /home/df001/.mozilla/firefox/qe5y5lht.tc.default/ -i client.p12 -n “David Field” -P “cert8.db”

this again, appears to be importing something somewhere, however, again, Viewing certs from the Firefox interface doesn't show the imported Cert.

I'm surmising here on reading that the certutil and pk12util are creating a new NSS database, which Firefox isn't reading.

So my question is, how can i get the p12 cert from the command line so it displays in the Firefox Certificate manager interface?

Why have i posted this here? Why not post on the Firefox forum? Well i will copy and post the same question there as well, however the ability to use the command line to do this is important, as I have potentially 2000 machines which will need a user cert imported into Firefox via a p12 file. I need to do this in the form of a script, i thought the hard part was going to be making the p12 file from the Microsoft 2003 CA, turns out thats easy.

I can't just import via the GUI and copy over cert8.db x 2000, i can't ask users to use the CA web interface as its for VPN access, the users are off site, and they need the VPN to get to the cert server..

Is there any person out there who can help?

By the way, i don't have the tor button installed.

Best Answer

Thanks for the reply, As it happens over the last 24hr i have tracked down why this was not working.

I tested the same c ommand on Suse, Debian 6 and fedora, and it worked fine on all of them which i found a bit strange, however once i updated Ubuntu 10.04 it worked. so i checked what the last updated had supplied, and it seems the recent OpenSSL update has resolved this issue.

To confirm this, once back in the office i installed the same open SSL update, and it all worked fine.

As a final check i tried this on a fresh Ubuntu 10.04.1 install, it failes, run updates it works..

to be very specific. the pk12 command

pk12util -d /home/df001/.mozilla/firefox/qe5y5lht.tc.default/ -i client.p12