Firefox .cer Zertfikate importieren?

Antworten
mhaegele
Beiträge: 293
Registriert: 18 Aug 2010, 13:55

Firefox .cer Zertfikate importieren?

Beitrag von mhaegele »

Hallo,
hat jemand ein Skript welches .cer zertifikate (z.B. Root-CA: root-01.cer und Zwischen-CA: proc-07.cer)
in Firefox importiert bekommt.
mit certutil wie im IE funktioniert das leider nicht so einfach ...
geht das überhaupt mit .cer Zertifikaten?

(habe mit mozilla-nss rumprobiert:)

codeschnipsel:

Code: Alles auswählen

[DosInAnIcon_certutil]
%SCRIPTPATH%\nss-3.12.4\bin\certutil.exe -L -d "$akt_prefs_path$"
%SCRIPTPATH%\nss-3.12.4\bin\certutil.exe -A -n "ca-root-05" -t "TC,TC,TC" -i %SCRIPTPATH%\CA-ROOT-05.cer -d "$akt_prefs_path$"
Danke vorab

MH
Nach oben
Benutzeravatar
SisterOfMercy
Beiträge: 1556
Registriert: 22 Jun 2012, 19:18

Re: Firefox .cer Zertfikate importieren?

Beitrag von SisterOfMercy »

You indeed need the certutil from Mozilla NSS. Compiling it yourself isn't too hard, but I have to compile 3.18 myself, and then I can share it here, if anybody wants to.

This is is part of my firefox setup script, which implements various things from this package: wiki/doku.php?id=userspace:mozilla_nss

Code: Alles auswählen

[Actions]
requiredWinstVersion >= "4.10.8.6"

DefVar $UninstallProgram32$
DefVar $LogDir$
DefVar $ProductId$  
DefVar $MinimumSpace$
DefVar $InstallDir32$
DefVar $InstallDirNSS32$
DefVar $ExitCode$
DefVar $INST_SystemType$
DefVar $INST_MsVersion$
DefVar $gce_installation$
DefStringList $profileslist$

DefVar $profiles_ini$
DefVar $prefs_path$
DefVar $prefs_IsRelative$

set $INST_MsVersion$ = GetMsVersionInfo
Set $INST_SystemType$ = GetSystemType
Set $LogDir$ = "%SystemDrive%\tmp"
Set $ProductId$       = "mozilla-firefox"
Set $MinimumSpace$    = "500 MB"
Set $InstallDir32$      = "%ProgramFiles32Dir%\Mozilla Firefox"
Set $InstallDirNSS32$    = "%ProgramFiles32Dir%\Mozilla NSS"
set $profileslist$ = getProfilesDirList

comment "Generate local opsi-client certificate"
Patches_opsiclientd_cert $LogDir$ + "\" + $ProductId$ + "\opsiclientd.conf"
DosInAnIcon_generateCert

comment "import certificates in mozilla certificatestore"	
DosInAnIcon_certutil
for $value$ in $profileslist$ do sub_install_cert_existing_profiles

Files_install_32
comment "Patch Registry"
Registry_install /32Bit
Registry_install_AllProfiles /AllNTUserDats
comment "Create shortcuts"
LinkFolder_install
Files_install_AllProfiles /AllNtUserProfiles
	
[Patches_opsiclientd_cert]
Add [req] default_bits = 1024
Add [req] encrypt_key = yes
Add [req] distinguished_name = req_dn
Add [req] x509_extensions = v3_req
Add [req] prompt = no
 
Add [req_dn] C=NL
Add [req_dn] ST=Somewhere
Add [req_dn] L=Nowhere
Add [req_dn] O=Anarchy
Add [req_dn] OU=OPSI-Client
Add [req_dn] CN=%IPName%
Add [req_dn] emailAddress=ict@domain.com
 
Add [v3_req] nsCertType = server
Add [v3_req] basicConstraints = CA:FALSE
Add [v3_req] keyUsage = nonRepudiation, digitalSignature, keyEncipherment
Add [v3_req] subjectAltName = @alt_names
 
Add [alt_names] DNS.1 = %IPName%
Add [alt_names] DNS.2 = localhost	
	
[DosInAnIcon_generateCert]
"%ProgramFiles32Dir%\openssl\bin\openssl.exe" req -new -x509 -days 6666 -nodes -config "$LogDir$\$ProductId$\opsiclientd.conf" -out "%ProgramFiles32Dir%\opsi.org\opsi-client-agent\opsiclientd\opsiclientd.pem" -keyout "%ProgramFiles32Dir%\opsi.org\opsi-client-agent\opsiclientd\opsiclientd.pem"

[DosInAnIcon_certutil]
; We use the empty bookmarks.html sls passwordfile. Any other 0 bytes file works too.
"$InstallDirNSS32$\certutil.exe" -N -f "%ScriptPath%\files\bookmarks.html" -d "$InstallDir32$\browser\defaults\profile"
"$InstallDirNSS32$\certutil.exe" -A -f "%ScriptPath%\files\bookmarks.html" -n "CAcert.org - Class 1 PKI Key" -t "C,C,C" -i "%ScriptPath%\files\cacert.org-root.der" -d "$InstallDir32$\browser\defaults\profile"
"$InstallDirNSS32$\certutil.exe" -A -f "%ScriptPath%\files\bookmarks.html" -n "CAcert.org - Class 3 PKI Key" -t "C,C,C" -i "%ScriptPath%\files\cacert.org-class3.der" -d "$InstallDir32$\browser\defaults\profile"
"$InstallDirNSS32$\certutil.exe" -A -f "%ScriptPath%\files\bookmarks.html" -n "OPSI Client certificate" -t "PTC,PTC,PTC" -i "%ProgramFiles32Dir%\opsi.org\opsi-client-agent\opsiclientd\opsiclientd.pem" -d "$InstallDir32$\browser\defaults\profile"

;"$InstallDirNSS32$\bin\certutil.exe" -A -f "%ScriptPath%\files\bookmarks.html" -n "OPSI Server certificate" -t "PTC,PTC,PTC" -i "%ScriptPath%\files\opsiconfd.pem" -d "$InstallDir32$\browser\defaults\profile"

[DosInAnIcon_createdb_existing_profiles]
"$InstallDirNSS32$\certutil.exe" -N -f "%ScriptPath%\files\bookmarks.html" -d "$prefs_path$"

[DosInAnIcon_certutil_existing_profiles]
"$InstallDirNSS32$\certutil.exe" -A -f "%ScriptPath%\files\bookmarks.html" -n "CAcert.org - Class 1 PKI Key" -t "C,C,C" -i "%ScriptPath%\files\cacert.org-root.der" -d "$prefs_path$"
"$InstallDirNSS32$\certutil.exe" -A -f "%ScriptPath%\files\bookmarks.html" -n "CAcert.org - Class 3 PKI Key" -t "C,C,C" -i "%ScriptPath%\files\cacert.org-class3.der" -d "$prefs_path$"

[Files_install_32]
; Make sure directory exists, so certutil will run correctly.
CheckTargetPath = "$InstallDir32$\browser\defaults\profile"

[Registry_install_AllProfiles]
; Remove stored start menu order
deletekey [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu]

[sub_install_cert_existing_profiles]
Set $profiles_ini$ = "$value$" + "\Application Data\Mozilla\Firefox\profiles.ini"
if FileExists($profiles_ini$)
	Set $prefs_path$ = GetValueFromInifile($profiles_ini$,"Profile0","Path","")
	Set $prefs_IsRelative$ = GetValueFromInifile($profiles_ini$,"Profile0","IsRelative","")
	if ($prefs_IsRelative$ = "1")
		comment "Path to profile is relative"
		Set $prefs_path$ = "$value$" + "\Application Data\Mozilla\Firefox\" + $prefs_path$
	else
		comment "Path to profile is absolute"
	endif
	
	if ((NOT (FileExists($prefs_path$+"\key3.db"))) OR (NOT (FileExists($prefs_path$+"\cert8.db")))) OR (NOT (FileExists($prefs_path$+"\secmod.db")))
		DosInAnIcon_createdb_existing_profiles
	endif
	DosInAnIcon_certutil_existing_profiles
endif
Bitte schreiben Sie Deutsch, when I'm responding in the German-speaking part of the forum!
Nach oben
Benutzeravatar
SisterOfMercy
Beiträge: 1556
Registriert: 22 Jun 2012, 19:18

Re: Firefox .cer Zertfikate importieren?

Beitrag von SisterOfMercy »

Here you go: wiki/doku.php?id=userspace:mozilla_nss_with_binaries
Bitte schreiben Sie Deutsch, when I'm responding in the German-speaking part of the forum!
Nach oben
mhaegele
Beiträge: 293
Registriert: 18 Aug 2010, 13:55

Re: Firefox .cer Zertfikate importieren?

Beitrag von mhaegele »

SisterOfMercy hat geschrieben:You indeed need the certutil from Mozilla NSS. Compiling it yourself isn't too hard, but I have to compile 3.18 myself, and then I can share it here, if anybody wants to.

This is is part of my firefox setup script, which implements various things from this package: wiki/doku.php?id=userspace:mozilla_nss

Code: Alles auswählen

[Actions]
requiredWinstVersion >= "4.10.8.6"

DefVar $UninstallProgram32$
DefVar $LogDir$
DefVar $ProductId$  
DefVar $MinimumSpace$
DefVar $InstallDir32$
DefVar $InstallDirNSS32$
DefVar $ExitCode$
DefVar $INST_SystemType$
DefVar $INST_MsVersion$
DefVar $gce_installation$
DefStringList $profileslist$

DefVar $profiles_ini$
DefVar $prefs_path$
DefVar $prefs_IsRelative$

set $INST_MsVersion$ = GetMsVersionInfo
Set $INST_SystemType$ = GetSystemType
Set $LogDir$ = "%SystemDrive%\tmp"
Set $ProductId$       = "mozilla-firefox"
Set $MinimumSpace$    = "500 MB"
Set $InstallDir32$      = "%ProgramFiles32Dir%\Mozilla Firefox"
Set $InstallDirNSS32$    = "%ProgramFiles32Dir%\Mozilla NSS"
set $profileslist$ = getProfilesDirList

comment "Generate local opsi-client certificate"
Patches_opsiclientd_cert $LogDir$ + "\" + $ProductId$ + "\opsiclientd.conf"
DosInAnIcon_generateCert

comment "import certificates in mozilla certificatestore"	
DosInAnIcon_certutil
for $value$ in $profileslist$ do sub_install_cert_existing_profiles

Files_install_32
comment "Patch Registry"
Registry_install /32Bit
Registry_install_AllProfiles /AllNTUserDats
comment "Create shortcuts"
LinkFolder_install
Files_install_AllProfiles /AllNtUserProfiles
	
[Patches_opsiclientd_cert]
Add [req] default_bits = 1024
Add [req] encrypt_key = yes
Add [req] distinguished_name = req_dn
Add [req] x509_extensions = v3_req
Add [req] prompt = no
 
Add [req_dn] C=NL
Add [req_dn] ST=Somewhere
Add [req_dn] L=Nowhere
Add [req_dn] O=Anarchy
Add [req_dn] OU=OPSI-Client
Add [req_dn] CN=%IPName%
Add [req_dn] emailAddress=ict@domain.com
 
Add [v3_req] nsCertType = server
Add [v3_req] basicConstraints = CA:FALSE
Add [v3_req] keyUsage = nonRepudiation, digitalSignature, keyEncipherment
Add [v3_req] subjectAltName = @alt_names
 
Add [alt_names] DNS.1 = %IPName%
Add [alt_names] DNS.2 = localhost	
	
[DosInAnIcon_generateCert]
"%ProgramFiles32Dir%\openssl\bin\openssl.exe" req -new -x509 -days 6666 -nodes -config "$LogDir$\$ProductId$\opsiclientd.conf" -out "%ProgramFiles32Dir%\opsi.org\opsi-client-agent\opsiclientd\opsiclientd.pem" -keyout "%ProgramFiles32Dir%\opsi.org\opsi-client-agent\opsiclientd\opsiclientd.pem"

[DosInAnIcon_certutil]
; We use the empty bookmarks.html sls passwordfile. Any other 0 bytes file works too.
"$InstallDirNSS32$\certutil.exe" -N -f "%ScriptPath%\files\bookmarks.html" -d "$InstallDir32$\browser\defaults\profile"
"$InstallDirNSS32$\certutil.exe" -A -f "%ScriptPath%\files\bookmarks.html" -n "CAcert.org - Class 1 PKI Key" -t "C,C,C" -i "%ScriptPath%\files\cacert.org-root.der" -d "$InstallDir32$\browser\defaults\profile"
"$InstallDirNSS32$\certutil.exe" -A -f "%ScriptPath%\files\bookmarks.html" -n "CAcert.org - Class 3 PKI Key" -t "C,C,C" -i "%ScriptPath%\files\cacert.org-class3.der" -d "$InstallDir32$\browser\defaults\profile"
"$InstallDirNSS32$\certutil.exe" -A -f "%ScriptPath%\files\bookmarks.html" -n "OPSI Client certificate" -t "PTC,PTC,PTC" -i "%ProgramFiles32Dir%\opsi.org\opsi-client-agent\opsiclientd\opsiclientd.pem" -d "$InstallDir32$\browser\defaults\profile"

;"$InstallDirNSS32$\bin\certutil.exe" -A -f "%ScriptPath%\files\bookmarks.html" -n "OPSI Server certificate" -t "PTC,PTC,PTC" -i "%ScriptPath%\files\opsiconfd.pem" -d "$InstallDir32$\browser\defaults\profile"

[DosInAnIcon_createdb_existing_profiles]
"$InstallDirNSS32$\certutil.exe" -N -f "%ScriptPath%\files\bookmarks.html" -d "$prefs_path$"

[DosInAnIcon_certutil_existing_profiles]
"$InstallDirNSS32$\certutil.exe" -A -f "%ScriptPath%\files\bookmarks.html" -n "CAcert.org - Class 1 PKI Key" -t "C,C,C" -i "%ScriptPath%\files\cacert.org-root.der" -d "$prefs_path$"
"$InstallDirNSS32$\certutil.exe" -A -f "%ScriptPath%\files\bookmarks.html" -n "CAcert.org - Class 3 PKI Key" -t "C,C,C" -i "%ScriptPath%\files\cacert.org-class3.der" -d "$prefs_path$"

[Files_install_32]
; Make sure directory exists, so certutil will run correctly.
CheckTargetPath = "$InstallDir32$\browser\defaults\profile"

[Registry_install_AllProfiles]
; Remove stored start menu order
deletekey [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu]

[sub_install_cert_existing_profiles]
Set $profiles_ini$ = "$value$" + "\Application Data\Mozilla\Firefox\profiles.ini"
if FileExists($profiles_ini$)
	Set $prefs_path$ = GetValueFromInifile($profiles_ini$,"Profile0","Path","")
	Set $prefs_IsRelative$ = GetValueFromInifile($profiles_ini$,"Profile0","IsRelative","")
	if ($prefs_IsRelative$ = "1")
		comment "Path to profile is relative"
		Set $prefs_path$ = "$value$" + "\Application Data\Mozilla\Firefox\" + $prefs_path$
	else
		comment "Path to profile is absolute"
	endif
	
	if ((NOT (FileExists($prefs_path$+"\key3.db"))) OR (NOT (FileExists($prefs_path$+"\cert8.db")))) OR (NOT (FileExists($prefs_path$+"\secmod.db")))
		DosInAnIcon_createdb_existing_profiles
	endif
	DosInAnIcon_certutil_existing_profiles
endif
Hallo,
leider verstehe ich das Script und die Mechanismen der Zertifikatimporte im Firefox nur teilweise,
für mich sieht es so aus als ob im obigen Script teilweise ein neues Zertifikat angelegt, bzw. das Zertifikat für Opsi angepasst wird, das würde ich alles nicht benötigen?!

Kann mir jemand erklären (bzw. vielleicht auf den Code verweisen der das macht?)
Wie kann ich meine von einem Softwarehersteller erhaltene .cer Zertifikate mit certutil etc.
in den Zertifikatspeicher von Mozilla reinschieben.
Schön wäre wenn die bereits vorhandenen Zertifikate erhalten bleiben?

habe 2 downgeloadete Zertifikate:
  • ca-root-05.cer (Root oder Stammzertifikat)
    ca-proc-07.cer (Zwischen oder Intermediate Zertifikat)
Diese sollen in den Firefox Certificate Store rein ...

Danke für Tipps

MH
Nach oben
Benutzeravatar
SisterOfMercy
Beiträge: 1556
Registriert: 22 Jun 2012, 19:18

Re: Firefox .cer Zertfikate importieren?

Beitrag von SisterOfMercy »

You would use these parts, to import your own:

Code: Alles auswählen

"$InstallDirNSS32$\certutil.exe" -A -f "%ScriptPath%\files\bookmarks.html" -n "CAcert.org - Class 1 PKI Key" -t "C,C,C" -i "%ScriptPath%\files\cacert.org-root.der" -d "$InstallDir32$\browser\defaults\profile"
"$InstallDirNSS32$\certutil.exe" -A -f "%ScriptPath%\files\bookmarks.html" -n "CAcert.org - Class 3 PKI Key" -t "C,C,C" -i "%ScriptPath%\files\cacert.org-class3.der" -d "$InstallDir32$\browser\defaults\profile"
Maybe tomorrow I can clean the script to only use your own ready-made certificates.
Bitte schreiben Sie Deutsch, when I'm responding in the German-speaking part of the forum!
Nach oben
holgerv
Beiträge: 288
Registriert: 20 Aug 2012, 09:35

Re: Firefox .cer Zertfikate importieren?

Beitrag von holgerv »

SisterOfMercy hat geschrieben:You indeed need the certutil from Mozilla NSS. Compiling it yourself isn't too hard, but I have to compile 3.18 myself, and then I can share it here, if anybody wants to.
Das Importieren von Zertifikaten funktioniert auch mit älteren NSS-Versionen, und die gibt's auch fertig kompiliert von Mozilla:
ftp://ftp.mozilla.org/pub/mozilla.org/s ... 3.12.4.zip
Nach oben
Benutzeravatar
SisterOfMercy
Beiträge: 1556
Registriert: 22 Jun 2012, 19:18

Re: Firefox .cer Zertfikate importieren?

Beitrag von SisterOfMercy »

holgerv hat geschrieben:Das Importieren von Zertifikaten funktioniert auch mit älteren NSS-Versionen, und die gibt's auch fertig kompiliert von Mozilla:
But as I said on the wiki you can also get the newer compiled version here: http://www.gcecad-service.nl/downloads/mozilla-nss.zip
No worries, choose whatever you like :)
Bitte schreiben Sie Deutsch, when I'm responding in the German-speaking part of the forum!
Nach oben
ewr
Beiträge: 1
Registriert: 14 Sep 2015, 10:12

Re: Firefox .cer Zertfikate importieren?

Beitrag von ewr »

hier ist ein neueres build (NSS 2.20) von certutil.exe, zusammen mit einem Script um eigene CA Zertifikate in Firefox für alle User einer Maschine trusted zu machen: https://github.com/christian-korneck/fi ... /releases/
Nach oben
Benutzeravatar
SisterOfMercy
Beiträge: 1556
Registriert: 22 Jun 2012, 19:18

Re: Firefox .cer Zertfikate importieren?

Beitrag von SisterOfMercy »

I hope you mean NSS 3.20 :D

I haven't gotten around to update my link from 3.19.3 to 3.20 yet.
Bitte schreiben Sie Deutsch, when I'm responding in the German-speaking part of the forum!
Nach oben
Antworten

Zurück zu „Freier Support“