[[Mozilla based stuff]]
 
Trace: » Flaw in Swiss passport ? » Install LDAPDNS » Checkpoint SecurePlatform tips » Mozilla based stuff

Mozilla based stuff

Your certificate of authorithy

In order to provide to your users a way to access your “https” stuff without having the big warning, you can install your certificate in Firefox and Thunderbird. This is done with libnss3-tools. So basic command you'll need to succeed are the following (notice that the software must not be running):

To know if a certificate is installed (our certificated is nicknamed “Tchetch CA”) : 

$ certutil -L -n "Tchetch CA" -d /home/tchetch/.mozilla/firefox/xxxxxxxx.default/

This command return != 0 if certificate is not installed and 0 if it's installed

Now if you want to install your certificate, you'll do (this certificate can be used for everything, see documentation about that : http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html) : 

$ certutil -A -n "Tchetch CA" -d /home/tchetch/.mozilla/firefox/xxxxxxxx.default/ -i tchetchCA.crt -t "CT,C,C"

And again it returns 0 if succeed or != 0 if failed.

So now we can build a script that would do that for each users (notice this works with Windows profile, but the user must be disconnected, so this profile went back on the server, otherwise it'll be overwritten). 

#!/bin/bash
# (c) Etienne Bagnoud <tchetch@i-james.com>, 2009 (Under GPL stuff)
# Add certificate if not present for a Mozilla directory

DIR=`dirname "$1"`
echo "Database found in "`pwd`
certutil -L -n "Tchetch CA" -d "$DIR/" &> /dev/null
if [ $? -ne 0 ]; then
        echo -n "Adding certificate to $DIR ..."
        certutil -A -n "Tchetch CAe" -t "CT,C,C" -d "$DIR/" -i /usr/local/certs/IRO.crt &> /dev/null
        if [ $? -eq 0 ]; then echo " OK"; else echo " Failed"; fi
fi
exit 0

So by itself this scripts doesn't do anything at all, you would run it with findutils : 

$  sudo find /home/ -name cert?.db -execdir sh /usr/local/certs/bin/mozillaProfiles.sh {} +

So every directory that contains manageable database will have your root certificate installed, whatever you use Firefox, Thunderbird, Epiphany or Iceweasel … Every mozilla NSS based software will run your root certificate … Nice !

Now you can run this on your samba server where Windows profiles are stored and you have deployed your Certificate of Authority to all your users !

 
office/mozilla.txt · Last modified: 2009/05/05 15:55 by tchetch
 
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Debian Driven by DokuWiki