Install a PKCS#12 Certificate into firefox from the command line

Question

I am trying to use certutil to add a client certificate to the firefox db: The purpose of this certificate is to authenticate with a server - the server asks for credentials, this certificate contains the credentials.

certutil -A -n "My Certificate" -d /myfirefoxprofile/ -t "CT,," -a -i /mycertificate.pfx

However this gives me the error:

certutil: could not obtain certificate from file: security library: improperly formatted DER-encoded message.

Am I doing something obviously wrong?

This is on ubuntu 10.10

i have had to tackle this before...it's way easier to require a user to run a certificate generation and import script(click here or bundle it in an installer) to identify themselves to a web-app than it is to have a 10+ click 2 page installation document with screenshots — RobotHumans, Nov 12 '10 at 17:51

RobotHumans · Answer 1 · 2010-11-12T17:03:47.593

4

It looks like you need to convert PFX to PEM...directions with openssl switches here: http://support.citrix.com/article/CTX106028

to be clear as evidently somehow i was confusing:

convert from pfx to pem then rerun your import command with the new file(edit: and the modified options below). it looks to me like the firefox cert import is choking on the pfx filetype(edit: and the appropriate import options were not specified). the directions linked to are not for firefox import, but for certificate conversion.

additional edit after question edit:

the -t needs the u option to be used as a client certificate. the -u flag needs the C option...certutil flags are documented here: http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html

you may also want to look here: http://www.phocean.net/2008/11/16/how-to-stop-firefox-from-prompting-for-the-client-certificate.html
as the browser may prompt on using the certificate

certutil -A -n "My Certificate" -d /myfirefoxprofile/ -t "CTu,," -u "c" -a -i /mycertificate.pem

should do it

edited Nov 12 '10 at 17:03

answered Nov 12 '10 at 15:13

RobotHumans

5,904
1
19
25

How does this help with adding the certificate to firefox? – Derek Ekins Nov 12 '10 at 15:22
see edited answer – RobotHumans Nov 12 '10 at 15:23
When I import the pem file that was generated the certificate shows up as an authority but NOT as a certificate that can be used to identify me. – Derek Ekins Nov 12 '10 at 15:34
what exactly are you trying to do...i thought you were trying to add your cert as a CA so you could force firefox to trust additional sites with self signed keys, clarify question plz – RobotHumans Nov 12 '10 at 15:36
Updated question – Derek Ekins Nov 12 '10 at 15:41
updated answer as well. by default certs are imported as CAs. you have to tell the tool you want to use it for other purposes – RobotHumans Nov 12 '10 at 16:29
This still didn't work :( - certutil: could not obtain certificate from file: security library: invalid arguments. I tried the whole process from scratch again with no luck – Derek Ekins Nov 15 '10 at 08:47

score 1 · Answer 2 · answered Nov 08 '18 at 18:17

Here's how I imported a client certificate into an empty Firefox profile:

# convert pem and key file into a pkcs12
openssl pkcs12 -export -in /path/my-cert.pem -inkey /path/my-cert.key -out /tmp/my-cert.p12 

# create empty directory
mkdir /tmp/empty_profile

# populate dir with certificate databases
certutil -N -d sql:/tmp/empty_profile

# import p12 file into database
pk12util -d sql:/tmp/empty_profile -i /tmp/mycert.p12 -n my-cert-nickname

Install a PKCS#12 Certificate into firefox from the command line

2 Answers2