以編程方式將證書安裝到Mozilla

Question

有沒有辦法以編程方式將證書安裝到mozilla中？我們正在嘗試編寫所有腳本以消除環境中的偏差，因此通過Mozilla首選項手動安裝它並不適合我們的需求。 我認爲這是一種使用certutil的方法，但我不確定Mozilla的內部等。

Answer 1

最簡單的方法是將證書導入到示例firefox配置文件中，然後將cert8.db複製到您想要裝備證書的用戶。

首先手動將證書導入樣本用戶的Firefox配置文件。然後複製

• /home/${USER}/.mozilla/firefox/${randomalphanum}.default/cert8.db（的Linux/Unix）

• %userprofile%\Application Data\Mozilla\Firefox\Profiles\%randomalphanum%.default\cert8.db（Windows）中

到用戶的Firefox型材。而已。如果你想確保，新用戶自動獲得證書，複製cert8.db到：

• /etc/firefox-3.0/profile（的Linux/Unix）

• %programfiles%\firefox-installation-folder\defaults\profile（Windows）中

Answer 2

這裏一種不覆蓋現有證書的替代方法： [用於Linux系統的bash碎片]

certificateFile="MyCa.cert.pem" 
certificateName="MyCA Name" 
for certDB in $(find ~/.mozilla* ~/.thunderbird -name "cert8.db") 
do 
    certDir=$(dirname ${certDB}); 
    #log "mozilla certificate" "install '${certificateName}' in ${certDir}" 
    certutil -A -n "${certificateName}" -t "TCu,Cuw,Tuw" -i ${certificateFile} -d ${certDir} 
done 

您可以在libnss3-tools軟件包（debian/ubuntu）中找到certutil。

來源：
http://web.archive.org/web/20150622023251/http://www.computer42.org:80/xwiki-static/exported/DevNotes/xwiki.DevNotes.Firefox.html

參見：
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil

Answer 3

在Windows 7上使用Firefox 10，cert8.db文件存儲在%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\########.default\cert8.db。如果您是管理員，則可以編寫簡單的WMI應用程序將文件複製到用戶的相應文件夾。

而且，這工作對我來說從http://www.appdeploy.com/messageboards/tm.asp?m=52532&mpage=1&key=&#52532

1. 複製CERTUTIL.EXE從NSS zip文件（http://www.mozilla.org/projects/security/pki/nss/tools/）到C:\Temp\CertImport劑（I也被放置在證書我想導入有）

2. 從NSS zip文件複製所有dll到C\:Windows\System32

3. 用這個scr在%Appdata%\mozilla\firefox\profiles創建一個BAT文件ipt ...

   Set FFProfdir=%Appdata%\mozilla\firefox\profiles 
   Set CERTDIR=C:\Temp\CertImport 
   DIR /A:D /B > "%Temp%\FFProfile.txt" 
   FOR /F "tokens=*" %%i in (%Temp%\FFProfile.txt) do ( 
   CD /d "%FFProfDir%\%%i" 
   COPY cert8.db cert8.db.orig /y 
   For %%x in ("%CertDir%\Cert1.crt") do "%Certdir%\certutil.exe" -A -n "Cert1" -i "%%x" -t "TCu,TCu,TCu" -d . 
   For %%x in ("%CertDir%\Cert2.crt") do "%Certdir%\certutil.exe" -A -n "Cert2" -i "%%x" -t "TCu,TCu,TCu" -d . 
   ) 
   DEL /f /q "%Temp%\FFProfile.txt" 
   

4. 執行BAT文件，結果很好。

Answer 4

我有一個類似的問題，客戶端需要爲Windows 2000用戶自動安裝授權證書。

我創建了以下.vbs腳本，將證書導入當前登錄的用戶firefox證書存儲區。

該腳本需要放在包含certutil.exe（nss版本）的工作副本的目錄中，但以編程方式確定firefox配置文件的位置。

Option Explicit 

On error resume next 

Const DEBUGGING    = true 
const SCRIPT_VERSION  = 0.1 
Const EVENTLOG_WARNING  = 2 
Const CERTUTIL_EXCUTABLE = "certutil.exe" 
Const ForReading = 1 


Dim strCertDirPath, strCertutil, files, slashPosition, dotPosition, strCmd, message 
Dim file, filename, filePath, fileExtension 

Dim WshShell   : Set WshShell   = WScript.CreateObject("WScript.Shell") 
Dim objFilesystem  : Set objFilesystem = CreateObject("Scripting.FileSystemObject") 
Dim certificates  : Set certificates  = CreateObject("Scripting.Dictionary") 
Dim objCertDir 
Dim UserFirefoxDBDir 
Dim UserFirefoxDir 
Dim vAPPDATA 
Dim objINIFile 
Dim strNextLine,Tmppath,intLineFinder, NickName 

vAPPDATA = WshShell.ExpandEnvironmentStrings("%APPDATA%") 
strCertDirPath = WshShell.CurrentDirectory 
strCertutil  = strCertDirPath & "\" & CERTUTIL_EXCUTABLE 
UserFirefoxDir = vAPPDATA & "\Mozilla\Firefox" 
NickName = "Websense Proxy Cert" 


Set objINIFile = objFilesystem.OpenTextFile(UserFireFoxDir & "\profiles.ini", ForReading) 

Do Until objINIFile.AtEndOfStream 
    strNextLine = objINIFile.Readline 

    intLineFinder = InStr(strNextLine, "Path=") 
    If intLineFinder <> 0 Then 
     Tmppath = Split(strNextLine,"=") 
     UserFirefoxDBDir = UserFirefoxDir & "\" & replace(Tmppath(1),"/","\") 

    End If 
Loop 
objINIFile.Close 

'output UserFirefoxDBDir 

If objFilesystem.FolderExists(strCertDirPath) And objFilesystem.FileExists(strCertutil) Then 
    Set objCertDir = objFilesystem.GetFolder(strCertDirPath) 
    Set files = objCertDir.Files 

    For each file in files 
     slashPosition = InStrRev(file, "\") 
     dotPosition = InStrRev(file, ".") 
     fileExtension = Mid(file, dotPosition + 1) 
     filename  = Mid(file, slashPosition + 1, dotPosition - slashPosition - 1) 

     If LCase(fileExtension) = "cer" Then   
      strCmd = chr(34) & strCertutil & chr(34) &" -A -a -n " & chr(34) & NickName & chr(34) & " -i " & chr(34) & file & chr(34) & " -t " & chr(34) & "TCu,TCu,TCu" & chr(34) & " -d " & chr(34) & UserFirefoxDBDir & chr(34) 
      'output(strCmd) 
      WshShell.Exec(strCmd) 
     End If   
    Next   
    WshShell.LogEvent EVENTLOG_WARNING, "Script: " & WScript.ScriptFullName & " - version:" & SCRIPT_VERSION & vbCrLf & vbCrLf & message 
End If 

function output(message) 
    If DEBUGGING Then 
     Wscript.echo message 
    End if 
End function 

Set WshShell = Nothing 
Set objFilesystem = Nothing 

Answer 5

只是想添加到一箇舊的線程，希望可以幫助其他人。我需要一個證書以編程方式添加到使用GPO firefox的數據庫，這是我做到了爲Windows

1，首先下載並解壓預編譯的Firefox NSS nss-3.13.5-nspr-4.9.1-compiled-x86.zip

2，手動添加證書到Firefox選項 - >高級 - 證書 - >機構 - >導入

3，從下載的NSS包，運行

certutil -L -d c:\users\[username]\appdata\roaming\mozilla\firefox\[profile].default  

4，上面的查詢會顯示您的證書名稱和信任屬性如

my company Ltd        CT,C,C  

5，刪除在步驟證書2.選項 - >高級 - 證書 - >當局 - >刪除

6中，從步驟4創建使用該信息的powershell腳本如下。該腳本將獲取用戶配置文件路徑並添加證書。這僅適用於如果用戶有一個Firefox的配置文件（需要以某種方式來獲取用戶的Firefox文件夾配置文件名稱）

#Script adds Radius Certificate to independent Firefox certificate store since the browser does not use the Windows built in certificate store  


#Get Firefox profile cert8.db file from users windows profile path 
$ProfilePath = "C:\Users\" + $env:username + "\AppData\Roaming\Mozilla\Firefox\Profiles\" 
$ProfilePath = $ProfilePath + (Get-ChildItem $ProfilePath | ForEach-Object { $_.Name }).ToString() 

#Update firefox cert8.db file with Radius Certificate 
certutil -A -n "UK my company" -t "CT,C,C" -i CertNameToAdd.crt -d $ProfilePath  

7，創建GPO的用戶配置來運行PowerShell腳本

希望幫助節省有人時間

Answer 6

我試圖在Powershell中實現相同的功能，並編寫了一個腳本來執行可交互選擇的各種功能。當然，修改腳本以自動化某些事情而非提供選項相當容易。

我是一個基礎設施人員，而不是編碼員/程序員，所以如果有點麻煩（但它確實工作!!），我們很抱歉。

將下列內容保存爲PS1：

################################################################################################## 
# 
# NAME: RegisterFireFoxCertificates.ps1 
# 
# AUTHOR: Andy Pyne 
# 
# DATE : 22.07.2015 
# 
# COMMENT: To provide options for listing, adding, deleting and purging 
# FireFox Certificates using Mozilla's NSS Util CertUtil 
# Source: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil 
# 
# NOTE: You need a copy of the NSS Util CertUtil and it's associated dll's 
# The specific files I used were: 
# 
# certutil.exe, fort32.dll, freebl3.dll, libnspr4.dll, libplc4.dll, libplds4.dll, nspr4.dll, 
# nss3.dll, nssckbi.dll, nssdbm3.dll, nssutil3.dll, plc4.dll, plds4.dll, smime3.dll, 
# softokn3.dll, sqlite3.dll, ssl3.dll, swft32.dll 
# 
################################################################################################## 

################################################################################################## 

# Setup a few parameters 
$ErrorActionPreference = "Silentlycontinue" 
$ExecutionPolicyOriginal = Get-ExecutionPolicy 
$FireFoxExecutable = "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe" 

# This is the Firefox certificate database 
$CertDB = "Cert8.db" 

# The Certificate Nickname is a name you want to see on the certificates that you've imported in - so you know they were imported by this process 
# However, when you look at the certificates in Firefox, they will be listed under whatever the certificate name was when it was generated 
# So if your certificate is listed as 'Company123' when imported, it will still be called that as the Common Name, but when you click to view 
# it, you will see that the first item in the Certificate Fields is what you 'nicknamed' it. 
$CertificateNickname = "MyCompanyName FF AutoImport Cert" 

# The Legacy Certificates are specific/explicit certificates which you wish to delete (The 'purge' option later in the script references these items) 
$LegacyCertificates = @("OldCertificate1", "Company Cert XYZ", "Previous Company name", "Unwanted Certificate - 7", "123APTEST123") 

# This is the list of databases/Firefox profiles on the machine 
$FFDBList = @() 

# Making sure our temporary directory is empty 
$FFCertLocationLocal = "C:\FFCertTemp" 

# The remote location of the certificates and 
$FFCertLocationRemote = "\\myUNC\NETLOGON\FireFoxCert\" 

# The local CertUtil executable (this is copied from the remote location above) 
$FFCertTool = "$FFCertLocationLocal\CertUtil.exe" 

# Making sure our temporary directory is empty 
Remove-Item $FFCertLocationLocal -Recurse 
New-Item -ItemType Directory -Path $FFCertLocationLocal 

################################################################################################## 

################################################################################################## 


Clear 

# We're going to get a list of the Firefox processes on the machine that are open and close them 
# Otherwise the add/delete parts might not be successful with Firefox still running 
$FireFoxRunningProcessesList = Get-Process | Where-Object {$_.Name -Match "FireFox"} | Select-Object ProcessName,Id | Format-Table -AutoSize 
$FireFoxRunningProcesses = Get-Process | Where-Object {$_.Name -Match "FireFox"} | Select-Object -ExpandProperty Id 
If (!$FireFoxRunningProcesses) {} 
Else { 
Write-Host "The following processes will be stopped to perform certificate manipulation:" 
$FireFoxRunningProcessesList 
$TerminateProcessQuestion = Read-Host "To auto-terminate (ungracefully!) processes, press 'Y', otherwise, press any other key" 
If ($TerminateProcessQuestion -ne 'y') { 
Clear 
Write-Host "Cannot continue as Firefox process is still running, ending script ..." 
Exit} 
Else {ForEach ($FireFoxRunningProcess in $FireFoxRunningProcesses) { 
[Int]$FireFoxRunningProcess = [Convert]::ToInt32($FireFoxRunningProcess, 10) 
Stop-Process -Id $FireFoxRunningProcess -Force}} 
} 

################################################################################################## 

################################################################################################## 

# The remote files (certificates and the NSS Tools CertUtil files are copied locally) 
$FFCertificateListItemRemote = Get-ChildItem $FFCertLocationRemote -Recurse -Include *.cer,*.dll,certutil.exe 
ForEach ($FFCertificateItemRemote in $FFCertificateListItemRemote) { 
Copy-Item $FFCertificateItemRemote.FullName -Destination $FFCertLocationLocal} 

# Get a list of the local certificates 
$FFCertificateListLocal = Get-ChildItem $FFCertLocationLocal -Recurse -filter *.cer 

Clear 
Set-ExecutionPolicy "Unrestricted" 

# Find all Firefox profiles and create an array called FFDBList 
# Of course, you'll only be able to get to the ones your permissions allow 
$LocalProfiles = Get-ChildItem "C:\Users" | Select-Object -ExpandProperty FullName 
ForEach ($LocalProfile in $LocalProfiles) { 
$FFProfile = Get-ChildItem "$LocalProfile\AppData\Roaming\Mozilla\Firefox\Profiles" | Select-Object -ExpandProperty FullName 
If (!$FFProfile) {Write-Host "There is no Firefox Profile for $LocalProfile"} 
ELSE {$FFDBList += $FFProfile} 
} 

Clear 
Write-Host "#################################" 
Write-Host "The List of FireFox Profiles is:" 
Write-Host "#################################" 
$FFDBList 
PAUSE 

################################################################################################## 

################################################################################################## 

# Setup 4x functions (List, Delete, Add and Purge) 
# 
# - List will simply list certificates from the Firefox profiles 
# 
# - Delete will delete the certificates the same as the certificates you're going to add back in 
# So for example, if you have 2x certificates copied earlier for import, 'CompanyA' and 'CompanyZ' 
# then you can delete certificates with these names beforehand. This will prevent the 
# certificates you want to import being skipped/duplicated because they already exist 
# 
# - Add will simply add the list of certificates you've copied locally 
# 
# - Purge will allow you to delete 'other' certificates that you've manually listed in the 
# variable '$LegacyCertificates' at the top of the script 

# Each of the functions perform the same 4x basic steps 
# 
# 1) Do the following 3x things for each of the Firefox profiles 
# 2) Do the 2x following things for each of the certificates 
# 3) Generate an expression using parameters based on the certificate nickname specified 
# earlier, and the profile and certificate informaiton 
# 4) Invoke the expression 

Function ListCertificates { 
Write-Host "#############################" 
ForEach ($FFDBItem in $FFDBList) { 
$FFCertificateListItemFull = $FFCertificateListItem.FullName 
Write-Host "Listing Certificates for $FFDBitem" 
$ExpressionToListCerts = "$FFCertTool -L -d `"$FFDBItem`"" 
Invoke-Expression $ExpressionToListCerts 
} 
PAUSE} 

Function DeleteOldCertificates { 
Write-Host "#############################" 
ForEach ($FFDBItem in $FFDBList) { 
ForEach ($FFCertificateListItem in $FFCertificateListLocal) { 
$FFCertificateListItemFull = $FFCertificateListItem.FullName 
Write-Host "Deleting Cert $FFCertificateListItem for $FFDBitem" 
$ExpressionToDeleteCerts = "$FFCertTool -D -n `"$CertificateNickname`" -d `"$FFDBItem`"" 
Invoke-Expression $ExpressionToDeleteCerts 
}} 
PAUSE} 

Function AddCertificates { 
Write-Host "#############################" 
ForEach ($FFDBItem in $FFDBList) { 
ForEach ($FFCertificateListItem in $FFCertificateListLocal) { 
$FFCertificateListItemFull = $FFCertificateListItem.FullName 
Write-Host "Adding $FFCertificateListItem Cert for $FFDBitem" 
$ExpressionToAddCerts = "$FFCertTool -A -n `"$CertificateNickname`" -t `"CT,C,C`" -d `"$FFDBItem`" -i `"$FFCertificateListItemFull`"" 
Write-Host $ExpressionToAddCerts 
Invoke-Expression $ExpressionToAddCerts 
#PAUSE 
}} 
PAUSE} 

Function PurgeLegacyCertificates { 
Write-Host "#############################" 
ForEach ($FFDBItem in $FFDBList) { 
ForEach ($LegacyCertificateItem in $LegacyCertificates) { 
$LegacyCertificateItemFull = $LegacyCertificateItem.FullName 
Write-Host "Purging Old Certs ($LegacyCertificateItem) for $FFDBitem" 
#$ExpressionToDeleteLegacyCerts = "$FFCertTool -D -n `"$OldCertificate`" -d `"$FFDBItem`"" 
$ExpressionToDeleteLegacyCerts = "$FFCertTool -D -n `"$LegacyCertificateItem`" -d `"$FFDBItem`"" 
ForEach ($LegacyCertificate in $LegacyCertificates) { 
Invoke-Expression $ExpressionToDeleteLegacyCerts} 
}} 
PAUSE} 

################################################################################################## 

################################################################################################## 

    # Creating a few options to invoke the various functions created above 

$CertificateAction = "" 

Function CertificateActionSelection { 
Do { 
Clear 
$CertificateAction = Read-Host "Would you like to [L]ist all certificates [D]elete all old certificates, [A]dd new certificates, or [P]urge legacy certificates?" 
} Until ($CertificateAction -eq "L" -or $CertificateAction -eq "D" -or $CertificateAction -eq "A" -or $CertificateAction -eq "P") 

If ($CertificateAction -eq "L") {ListCertificates} 
If ($CertificateAction -eq "D") {DeleteOldCertificates} 
If ($CertificateAction -eq "A") {AddCertificates} 
If ($CertificateAction -eq "P") {PurgeLegacyCertificates} 
} 

Do { 
Clear 
$MoreCertificateActions = Read-Host "Would you like to [L]aunch Firefox (as $env:USERNAME), take a [C]ertificate action, or [Q]uit?" 
If ($MoreCertificateActions -eq "L") { 
Invoke-Item $FireFoxExecutable 
Exit} 
If ($MoreCertificateActions -eq "C") {CertificateActionSelection} 

} Until ($MoreCertificateActions -eq "Q") 

Remove-Item $FFCertLocationLocal -Recurse 
Set-ExecutionPolicy $ExecutionPolicyOriginal 

Exit 

Answer 7

火狐現在（因爲58）使用SQLite數據庫cert9.db，而不是傳統的cert8.db。 我已經做了修正，以這裏提出一個解決方案，使之與Firefox的新版本的工作：

certificateFile="MyCa.cert.pem" 
certificateName="MyCA Name" 
for certDB in $(find ~/.mozilla* ~/.thunderbird -name "cert9.db") 
do 
    certDir=$(dirname ${certDB}); 
    #log "mozilla certificate" "install '${certificateName}' in ${certDir}" 
    certutil -A -n "${certificateName}" -t "TCu,Cuw,Tuw" -i ${certificateFile} -d sql:${certDir} 
done