Deploy root certificate to Firefox on Mac OS X

Question

I want to know how to deploy a root certificates for the Firefox on Mac OS X. I've found some solutions to do it on Windows and it works like a charm. Now I want to do the same on Mac OS X. we have many clients with this OS and it would be very wasteful if we have to do it manually on the clients. I'm looking for a solution where I don't have to make any user inputs an the machine.

I've found the OS X alternative to certutil -> security but with security I can only add the certificate to the keychain. It seems like that Firefox don't use the keyhain to check the certificates.

How can I add the certificate to the user specific cert-store?

Just for those stumbling here via a search and trying to add a root CA to the system store on macOS: ````sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" ca.crt```` will do the trick from the command line — , Nov 12 '18 at 02:56

score 6 · Answer 1 · answered Oct 22 '18 at 20:34

6

Starting Firefox 63, you can set security.enterprise_roots.enabled to true (via about:config) to configure Firefox to use OS Keychain for trusted root certificates store.

This will not be back-ported to Firefox 60 ESR.

For additional information, see this bug report 1300420

answered Oct 22 '18 at 20:34

cantonese

61
1
1

This works, is easy and above all CLEAN – Nov 12 '18 at 02:47

score 5 · Answer 2 · edited Oct 02 '19 at 13:16

5

Firefox uses its own certificate-storage. So if you add a certificate to one firefox you should be able to determine the changed file(s) inside the users firefox-profile and deploy them to every other user. Alternatively find the main certificate store inside the Firefox.app and replace that with a certificate store containing your root cert.

UPDATE

The file you are interested in is ~/Library/Application Support/Firefox/Profiles/[profile-id]/cert8.db. Have a look at https://sadique.io/blog/2012/06/05/managing-security-certificates-from-the-console-on-windows-mac-os-x-and-linux/ for more informations. Scroll down to the Firefox-section.

The downside on that approach is that the user might loose already added root-certificates.

edited Oct 02 '19 at 13:16

Nicolas Martignoni

3
1
4

answered Jul 20 '13 at 11:18

heiglandreas

1,391
9
9

That link is now dead. – Jouni K. Seppänen Jun 22 '15 at 11:48
@JouniK.Seppänen - Thanks for informing: I've updated the link ;) – heiglandreas Jun 22 '15 at 12:03
Hello @JouniK.Seppänen, I am the author of the blog post. I moved my blog's address and the article is currently at http://sdqali.in/blog/2012/06/05/managing-security-certificates-from-the-console---on-windows-mac-os-x-and-linux/ – sdqali Jul 03 '16 at 18:51
1

Easier is the answer from @cantonese, super easy, clean and makes firefox use the system certificates. – Nov 12 '18 at 02:50

score 0 · Answer 3 · answered May 05 '16 at 18:48

0

Spend a half day, however, solve the problem!

The link in the previous answer to the deleted blog record suggests to replace cert8.db with premade one - it is very bad idea as user will lose all already accepted certificates.

Certificates have to be added to the cert8.db with use of NSS Tool - certutil.

And I successfully managed to build the latest version of NSS Tool 3.23 on Mac OS - El Capitan You can download archive from my DropBox

Hope it would help to others

answered May 05 '16 at 18:48

Bryksin

101
3

1

FYI: `brew` now has it – A T Oct 05 '17 at 10:49
6

`brew` has certutil under the `nss` package – Just Jake Oct 05 '17 at 23:56

Deploy root certificate to Firefox on Mac OS X

3 Answers3