This is an old revision of the document!
Template for importing CA cert in Mozilla Firefox / Thunderbird
Script by uib Gmbh
Comments and improvements welcome
Tested with opsi 4.0.3
Full-Package at http://download.uib.de/opsi4.0/products/contribute/full-package/
; This sourcecode is owned by uib ; and published under the Terms of the General Public License. ; credits: http://www.opsi.org/en/credits/ ; Copyright © uib gmbh (www.uib.de)
[Actions] DefVar $dummy$ DefVar $PREF_FILE$ DefVar $preftype$ DefStringList $profiles$ DefVar $akt_profile_ini$ DefVar $akt_prefs_path$ DefVar $AppData$ DefVar $rel_prefs_path$ DefVar $mozilla_userpath$ DefVar $INST_OpsiclientdCertificateFile$ DefVar $INST_OpsiclientdDir$
if getMsVersionInfo >= “6”
set $AppData$ = "\AppData\Roaming"
else
comment "not supported OS"
endif
Set $preftype$ = “user_pref” Set $PREF_FILE$ = “prefs.js”
Set $INST_OpsiclientdDir$ = “%ProgramFiles32Dir%\opsi.org\opsi-client-agent\opsiclientd” Set $INST_OpsiclientdCertificateFile$ = $INST_OpsiclientdDir$+“\opsiclientd.pem”
comment “ Example for Mozilla Firefox” ; populate default db see section CertifikatMozillalösung set $akt_prefs_path$ =“%ProgramFiles32Dir%\Mozilla Firefox\defaults\profile”
if 1)) OR (NOT (FileExists($akt_prefs_path$+“\cert8.db”)))) OR (NOT (FileExists($akt_prefs_path$+“\secmod.db”)))
;Files_copy_default_db ; https://developer.mozilla.org/en-US/docs/NSS_security_tools/certutil ; Creating New Security Databases DosInAnIcon_createNewSecurityDatabase
endif
DosInAnIcon_certutil
Set $mozilla_userpath$ = “\Mozilla\Firefox” comment “get user directories via dosbatch dir command” Set $profiles$ = getOutStreamFromSection ('dosbatch_profiledir') comment “loop over the result” for $x$ in $profiles$ do sub_patch_prefs_file
comment “ Example for Mozilla thunderbird” ; populate default db see section CertifikatMozillalösung set $akt_prefs_path$ =“%ProgramFiles32Dir%\Mozilla Thunderbird\defaults\profile”
if 2)) OR (NOT (FileExists($akt_prefs_path$+“\cert8.db”)))) OR (NOT (FileExists($akt_prefs_path$+“\secmod.db”)))
;Files_copy_default_db ; https://developer.mozilla.org/en-US/docs/NSS_security_tools/certutil ; Creating New Security Databases
endif
DosInAnIcon_certutil
Set $mozilla_userpath$ = “\Thunderbird” comment “get user directories via dosbatch dir command” Set $profiles$ = getOutStreamFromSection ('dosbatch_profiledir') comment “loop over the result” for $x$ in $profiles$ do sub_patch_prefs_file [comment “ simple template for using mozilla nss tools ”] ;http://www.mozilla.org/projects/security/pki/nss/tools/ ;http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
[dosbatch_profiledir] @echo off dir “%ProfileDir%” /b
[sub_patch_prefs_file] ;Set $akt_profile_ini$ = “%ProfileDir%\”+“$x$”+$AppData$+“\Mozilla\Firefox\profiles.ini” Set $akt_profile_ini$ = “%ProfileDir%\”+“$x$”+$AppData$+$mozilla_userpath$+“\profiles.ini” if FileExists($akt_profile_ini$)
Set $rel_prefs_path$ = GetValueFromInifile($akt_profile_ini$,"Profile0","Path","") ; try to handle profiles.ini prefs_path absolut not relativ ; http://kb.mozillazine.org/Profiles.ini_file ; profiles.ini IsRelative=1 (true) IsRelative=0 (false) for example Path=D:\Mozilla\Firefox\Profiles\sheldon
Set $dummy$ = GetValueFromInifile($akt_profile_ini$,"Profile0","IsRelative","") if ( $dummy$ = "1" ) comment "relativ path" Set $akt_prefs_path$ = "%ProfileDir%\"+"$x$"+$AppData$+"\Mozilla\Firefox\"+$rel_prefs_path$ else comment "absolut path" Set $akt_prefs_path$ = $rel_prefs_path$ endif if ((NOT (FileExists($akt_prefs_path$+"\key3.db"))) OR (NOT (FileExists($akt_prefs_path$+"\cert8.db")))) OR (NOT (FileExists($akt_prefs_path$+"\secmod.db"))) ;Files_copy_default_db DosInAnIcon_createNewSecurityDatabase endif
DosInAnIcon_certutil
endif
[DosInAnIcon_createNewSecurityDatabase] %SCRIPTPATH%\nss-3.12.4\bin\certutil.exe -N -d “$akt_prefs_path$”
[DosInAnIcon_certutil] %SCRIPTPATH%\nss-3.12.4\bin\certutil.exe -L -d “$akt_prefs_path$” %SCRIPTPATH%\nss-3.12.4\bin\certutil.exe -A -n “certifikatOPSISERVER” -t “TC,TC,TC” -i %SCRIPTPATH%\opsiconfd.pem -d “$akt_prefs_path$” %SCRIPTPATH%\nss-3.12.4\bin\certutil.exe -A -n “certifikatOPSIclientd” -t “TC,TC,TC” -i “$INST_OpsiclientdCertificateFile$” -d “$akt_prefs_path$” %SCRIPTPATH%\nss-3.12.4\bin\certutil.exe -L -d “$akt_prefs_path$” %SCRIPTPATH%\nss-3.12.4\bin\certutil.exe -L -n “certifikatOPSISERVER” -d “$akt_prefs_path$” %SCRIPTPATH%\nss-3.12.4\bin\certutil.exe -L -n “certifikatOPSIclientd” -d “$akt_prefs_path$”
[Files_copy_default_db] copy %SCRIPTPATH%\nss-3.12.4\db\*db “$akt_prefs_path$\”
[CertifikatMozillalösung]
https://mail.mozilla.org/pipermail/tb-enterprise/2011-September/000135.html https://mail.mozilla.org/pipermail/tb-enterprise/2011-September/000139.html
I have noticed modutil with -create option will create a secmod.db, cert8.db and key3.db (9?) files, unless you specify -nocertdb option. As stated in here:
http://bahut.alma.ch/2011/07/importing-root-certificates-into.html
A very late reply, but since it may be useful to others, here it is:
After manually importing the certificate(s), save a copy of the “cert8.db” file from your profile directory. Copy that cert8.db file to the program directory (“C:\Program Files (x86)/Mozilla Thunderbird”) into a “/defaults/profile” subdirectory.
That works well, for both Firefox and Thunderbird, for new profiles. For existing profiles, you need to overwrite their cert8.db in their user profile.
An alternative to creating the master cert8.db by manually importing certificates through the Mozilla GUI, is to use the libnss certutil command as described in my first message in this thread.