10

I want to know how to deploy a root certificates for the Firefox on Mac OS X. I've found some solutions to do it on Windows and it works like a charm. Now I want to do the same on Mac OS X. we have many clients with this OS and it would be very wasteful if we have to do it manually on the clients. I'm looking for a solution where I don't have to make any user inputs an the machine.

I've found the OS X alternative to certutil -> security but with security I can only add the certificate to the keychain. It seems like that Firefox don't use the keyhain to check the certificates.

How can I add the certificate to the user specific cert-store?

Nalaka526
  • 1,624
Michael Walter
  • 271

3 Answers3

7

Starting Firefox 63, you can set security.enterprise_roots.enabled to true (via about:config) to configure Firefox to use OS Keychain for trusted root certificates store.

This will not be back-ported to Firefox 60 ESR.

For additional information, see this bug report 1300420

cantonese
  • 71
5

Firefox uses its own certificate-storage. So if you add a certificate to one firefox you should be able to determine the changed file(s) inside the users firefox-profile and deploy them to every other user. Alternatively find the main certificate store inside the Firefox.app and replace that with a certificate store containing your root cert.

UPDATE

The file you are interested in is ~/Library/Application Support/Firefox/Profiles/[profile-id]/cert8.db. Have a look at https://sadique.io/blog/2012/06/05/managing-security-certificates-from-the-console-on-windows-mac-os-x-and-linux/ for more informations. Scroll down to the Firefox-section.

The downside on that approach is that the user might loose already added root-certificates.

Nicolas Martignoni
  • 3
heiglandreas
  • 1,451
0

Spend a half day, however, solve the problem!

The link in the previous answer to the deleted blog record suggests to replace cert8.db with premade one - it is very bad idea as user will lose all already accepted certificates.

Certificates have to be added to the cert8.db with use of NSS Tool - certutil.

And I successfully managed to build the latest version of NSS Tool 3.23 on Mac OS - El Capitan You can download archive from my DropBox

Hope it would help to others

Bryksin
  • 101