以编程方式将证书安装到Mozilla
有没有办法以编程方式将证书安装到Mozilla中? 我们试图编写一切脚本来消除环境中的偏差,所以通过mozilla首选项手动安装它并不适合我们的需求。 我认为用certutil做到这一点,但我不确定Mozilla的内部等等。
最简单的方法是将证书导入到示例firefoxconfiguration文件中,然后将cert8.db复制到想要配备证书的用户。
首先手动将证书导入样本用户的Firefoxconfiguration文件。 然后复制
-
/home/${USER}/.mozilla/firefox/${randomalphanum}.default/cert8.db
/ Unix) -
%userprofile%\Application Data\Mozilla\Firefox\Profiles\%randomalphanum%.default\cert8.db
(Windows)
进入用户firefox-profiles。 而已。 如果要确保新用户自动获取证书,请将cert8.db
复制到:
-
/etc/firefox-3.0/profile
/ Unix) -
%programfiles%\firefox-installation-folder\defaults\profile
(Windows)
下面是一个不覆盖现有证书的替代方法:[bash fragment for linux systems]
certificateFile="MyCa.cert.pem" certificateName="MyCA Name" for certDB in $(find ~/.mozilla* ~/.thunderbird -name "cert8.db") do certDir=$(dirname ${certDB}); #log "mozilla certificate" "install '${certificateName}' in ${certDir}" certutil -A -n "${certificateName}" -t "TCu,Cuw,Tuw" -i ${certificateFile} -d ${certDir} done
您可以在libnss3-tools软件包(debian / ubuntu)中findcertutil。
也可以看看:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil
只是想添加一个旧的线程,希望能够帮助其他人。 我需要使用GPO以编程方式向Firefox数据库添加证书,这是我为Windows做的
1,首先下载并解压缩预编译好的 firefox NSS nss-3.13.5-nspr-4.9.1-compiled-x86.zip
2,手动添加证书到Firefox选项 – >高级 – 证书 – >权限 – >导入
3,从下载的NSS包中运行
certutil -L -dc:\users\[username]\appdata\roaming\mozilla\firefox\[profile].default
4,上面的查询将显示证书名称和信任属性,例如
my company Ltd CT,C,C
5,在步骤2中删除证书。选项 – >高级 – 证书 – >权限 – >删除
6,使用步骤4中的信息创build一个PowerShell脚本,如下所示。 该脚本将获取用户configuration文件path并添加证书。 这只适用于如果用户有一个Firefox的configuration文件(需要以某种方式检索用户的Firefox文件夹configuration文件的名称)
#Script adds Radius Certificate to independent Firefox certificate store since the browser does not use the Windows built in certificate store #Get Firefox profile cert8.db file from users windows profile path $ProfilePath = "C:\Users\" + $env:username + "\AppData\Roaming\Mozilla\Firefox\Profiles\" $ProfilePath = $ProfilePath + (Get-ChildItem $ProfilePath | ForEach-Object { $_.Name }).ToString() #Update firefox cert8.db file with Radius Certificate certutil -A -n "UK my company" -t "CT,C,C" -i CertNameToAdd.crt -d $ProfilePath
7,创buildGPO作为用户configuration来运行PowerShell脚本
希望有助于节省时间
在使用Firefox 10的Windows 7上,cert8.db文件存储在%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\########.default\cert8.db
。 如果您是pipe理员,则可以编写一个简单的WMI应用程序将文件复制到用户的相应文件夹。
此外,从http://www.appdeploy.com/messageboards/tm.asp?m=52532&mpage=1&key=촴为我工作的解决scheme
-
从NSS压缩文件( http://www.mozilla.org/projects/security/pki/nss/tools/ )复制
CERTUTIL.EXE
到C:\Temp\CertImport
(我也放置了我想要导入的证书) -
将所有dll从NSS zip文件复制到
C\:Windows\System32
-
用这个脚本在
%Appdata%\mozilla\firefox\profiles
创build一个BAT文件…Set FFProfdir=%Appdata%\mozilla\firefox\profiles Set CERTDIR=C:\Temp\CertImport DIR /A:D /B > "%Temp%\FFProfile.txt" FOR /F "tokens=*" %%i in (%Temp%\FFProfile.txt) do ( CD /d "%FFProfDir%\%%i" COPY cert8.db cert8.db.orig /y For %%x in ("%CertDir%\Cert1.crt") do "%Certdir%\certutil.exe" -A -n "Cert1" -i "%%x" -t "TCu,TCu,TCu" -d . For %%x in ("%CertDir%\Cert2.crt") do "%Certdir%\certutil.exe" -A -n "Cert2" -i "%%x" -t "TCu,TCu,TCu" -d . ) DEL /f /q "%Temp%\FFProfile.txt"
-
执行BAT文件,效果很好。
我有一个类似的问题在一个客户端的网站,客户端需要一个权威证书自动安装2000 +的Windows用户。
我创build了以下.vbs脚本将证书导入到当前login的用户firefox证书存储中。
脚本需要放在包含certutil.exe(nss版本)的工作副本的目录中,但是以编程方式确定Firefoxconfiguration文件的位置。
Option Explicit On error resume next Const DEBUGGING = true const SCRIPT_VERSION = 0.1 Const EVENTLOG_WARNING = 2 Const CERTUTIL_EXCUTABLE = "certutil.exe" Const ForReading = 1 Dim strCertDirPath, strCertutil, files, slashPosition, dotPosition, strCmd, message Dim file, filename, filePath, fileExtension Dim WshShell : Set WshShell = WScript.CreateObject("WScript.Shell") Dim objFilesystem : Set objFilesystem = CreateObject("Scripting.FileSystemObject") Dim certificates : Set certificates = CreateObject("Scripting.Dictionary") Dim objCertDir Dim UserFirefoxDBDir Dim UserFirefoxDir Dim vAPPDATA Dim objINIFile Dim strNextLine,Tmppath,intLineFinder, NickName vAPPDATA = WshShell.ExpandEnvironmentStrings("%APPDATA%") strCertDirPath = WshShell.CurrentDirectory strCertutil = strCertDirPath & "\" & CERTUTIL_EXCUTABLE UserFirefoxDir = vAPPDATA & "\Mozilla\Firefox" NickName = "Websense Proxy Cert" Set objINIFile = objFilesystem.OpenTextFile( UserFireFoxDir & "\profiles.ini", ForReading) Do Until objINIFile.AtEndOfStream strNextLine = objINIFile.Readline intLineFinder = InStr(strNextLine, "Path=") If intLineFinder <> 0 Then Tmppath = Split(strNextLine,"=") UserFirefoxDBDir = UserFirefoxDir & "\" & replace(Tmppath(1),"/","\") End If Loop objINIFile.Close 'output UserFirefoxDBDir If objFilesystem.FolderExists(strCertDirPath) And objFilesystem.FileExists(strCertutil) Then Set objCertDir = objFilesystem.GetFolder(strCertDirPath) Set files = objCertDir.Files For each file in files slashPosition = InStrRev(file, "\") dotPosition = InStrRev(file, ".") fileExtension = Mid(file, dotPosition + 1) filename = Mid(file, slashPosition + 1, dotPosition - slashPosition - 1) If LCase(fileExtension) = "cer" Then strCmd = chr(34) & strCertutil & chr(34) &" -A -a -n " & chr(34) & NickName & chr(34) & " -i " & chr(34) & file & chr(34) & " -t " & chr(34) & "TCu,TCu,TCu" & chr(34) & " -d " & chr(34) & UserFirefoxDBDir & chr(34) 'output(strCmd) WshShell.Exec(strCmd) End If Next WshShell.LogEvent EVENTLOG_WARNING, "Script: " & WScript.ScriptFullName & " - version:" & SCRIPT_VERSION & vbCrLf & vbCrLf & message End If function output(message) If DEBUGGING Then Wscript.echo message End if End function Set WshShell = Nothing Set objFilesystem = Nothing
我试图在Powershell中实现同样的function,并编写了一个脚本来执行可交互select的各种function。 当然,修改脚本来自动化某些事情,而不是提供选项是相当容易的。
我是一个基础设施人员,而不是一个编码人员/程序员,所以如果有点麻烦,但是它确实有效!
将以下内容保存为PS1:
################################################################################################## # # NAME: RegisterFireFoxCertificates.ps1 # # AUTHOR: Andy Pyne # # DATE : 22.07.2015 # # COMMENT: To provide options for listing, adding, deleting and purging # FireFox Certificates using Mozilla's NSS Util CertUtil # Source: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil # # NOTE: You need a copy of the NSS Util CertUtil and it's associated dll's # The specific files I used were: # # certutil.exe, fort32.dll, freebl3.dll, libnspr4.dll, libplc4.dll, libplds4.dll, nspr4.dll, # nss3.dll, nssckbi.dll, nssdbm3.dll, nssutil3.dll, plc4.dll, plds4.dll, smime3.dll, # softokn3.dll, sqlite3.dll, ssl3.dll, swft32.dll # ################################################################################################## ################################################################################################## # Setup a few parameters $ErrorActionPreference = "Silentlycontinue" $ExecutionPolicyOriginal = Get-ExecutionPolicy $FireFoxExecutable = "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe" # This is the Firefox certificate database $CertDB = "Cert8.db" # The Certificate Nickname is a name you want to see on the certificates that you've imported in - so you know they were imported by this process # However, when you look at the certificates in Firefox, they will be listed under whatever the certificate name was when it was generated # So if your certificate is listed as 'Company123' when imported, it will still be called that as the Common Name, but when you click to view # it, you will see that the first item in the Certificate Fields is what you 'nicknamed' it. $CertificateNickname = "MyCompanyName FF AutoImport Cert" # The Legacy Certificates are specific/explicit certificates which you wish to delete (The 'purge' option later in the script references these items) $LegacyCertificates = @("OldCertificate1", "Company Cert XYZ", "Previous Company name", "Unwanted Certificate - 7", "123APTEST123") # This is the list of databases / Firefox profiles on the machine $FFDBList = @() # Making sure our temporary directory is empty $FFCertLocationLocal = "C:\FFCertTemp" # The remote location of the certificates and $FFCertLocationRemote = "\\myUNC\NETLOGON\FireFoxCert\" # The local CertUtil executable (this is copied from the remote location above) $FFCertTool = "$FFCertLocationLocal\CertUtil.exe" # Making sure our temporary directory is empty Remove-Item $FFCertLocationLocal -Recurse New-Item -ItemType Directory -Path $FFCertLocationLocal ################################################################################################## ################################################################################################## Clear # We're going to get a list of the Firefox processes on the machine that are open and close them # Otherwise the add/delete parts might not be successful with Firefox still running $FireFoxRunningProcessesList = Get-Process | Where-Object {$_.Name -Match "FireFox"} | Select-Object ProcessName,Id | Format-Table -AutoSize $FireFoxRunningProcesses = Get-Process | Where-Object {$_.Name -Match "FireFox"} | Select-Object -ExpandProperty Id If (!$FireFoxRunningProcesses) {} Else { Write-Host "The following processes will be stopped to perform certificate manipulation:" $FireFoxRunningProcessesList $TerminateProcessQuestion = Read-Host "To auto-terminate (ungracefully!) processes, press 'Y', otherwise, press any other key" If ($TerminateProcessQuestion -ne 'y') { Clear Write-Host "Cannot continue as Firefox process is still running, ending script ..." Exit} Else {ForEach ($FireFoxRunningProcess in $FireFoxRunningProcesses) { [Int]$FireFoxRunningProcess = [Convert]::ToInt32($FireFoxRunningProcess, 10) Stop-Process -Id $FireFoxRunningProcess -Force}} } ################################################################################################## ################################################################################################## # The remote files (certificates and the NSS Tools CertUtil files are copied locally) $FFCertificateListItemRemote = Get-ChildItem $FFCertLocationRemote -Recurse -Include *.cer,*.dll,certutil.exe ForEach ($FFCertificateItemRemote in $FFCertificateListItemRemote) { Copy-Item $FFCertificateItemRemote.FullName -Destination $FFCertLocationLocal} # Get a list of the local certificates $FFCertificateListLocal = Get-ChildItem $FFCertLocationLocal -Recurse -filter *.cer Clear Set-ExecutionPolicy "Unrestricted" # Find all Firefox profiles and create an array called FFDBList # Of course, you'll only be able to get to the ones your permissions allow $LocalProfiles = Get-ChildItem "C:\Users" | Select-Object -ExpandProperty FullName ForEach ($LocalProfile in $LocalProfiles) { $FFProfile = Get-ChildItem "$LocalProfile\AppData\Roaming\Mozilla\Firefox\Profiles" | Select-Object -ExpandProperty FullName If (!$FFProfile) {Write-Host "There is no Firefox Profile for $LocalProfile"} ELSE {$FFDBList += $FFProfile} } Clear Write-Host "#################################" Write-Host "The List of FireFox Profiles is:" Write-Host "#################################" $FFDBList PAUSE ################################################################################################## ################################################################################################## # Setup 4x functions (List, Delete, Add and Purge) # # - List will simply list certificates from the Firefox profiles # # - Delete will delete the certificates the same as the certificates you're going to add back in # So for example, if you have 2x certificates copied earlier for import, 'CompanyA' and 'CompanyZ' # then you can delete certificates with these names beforehand. This will prevent the # certificates you want to import being skipped/duplicated because they already exist # # - Add will simply add the list of certificates you've copied locally # # - Purge will allow you to delete 'other' certificates that you've manually listed in the # variable '$LegacyCertificates' at the top of the script # Each of the functions perform the same 4x basic steps # # 1) Do the following 3x things for each of the Firefox profiles # 2) Do the 2x following things for each of the certificates # 3) Generate an expression using parameters based on the certificate nickname specified # earlier, and the profile and certificate informaiton # 4) Invoke the expression Function ListCertificates { Write-Host "#############################" ForEach ($FFDBItem in $FFDBList) { $FFCertificateListItemFull = $FFCertificateListItem.FullName Write-Host "Listing Certificates for $FFDBitem" $ExpressionToListCerts = "$FFCertTool -L -d `"$FFDBItem`"" Invoke-Expression $ExpressionToListCerts } PAUSE} Function DeleteOldCertificates { Write-Host "#############################" ForEach ($FFDBItem in $FFDBList) { ForEach ($FFCertificateListItem in $FFCertificateListLocal) { $FFCertificateListItemFull = $FFCertificateListItem.FullName Write-Host "Deleting Cert $FFCertificateListItem for $FFDBitem" $ExpressionToDeleteCerts = "$FFCertTool -D -n `"$CertificateNickname`" -d `"$FFDBItem`"" Invoke-Expression $ExpressionToDeleteCerts }} PAUSE} Function AddCertificates { Write-Host "#############################" ForEach ($FFDBItem in $FFDBList) { ForEach ($FFCertificateListItem in $FFCertificateListLocal) { $FFCertificateListItemFull = $FFCertificateListItem.FullName Write-Host "Adding $FFCertificateListItem Cert for $FFDBitem" $ExpressionToAddCerts = "$FFCertTool -A -n `"$CertificateNickname`" -t `"CT,C,C`" -d `"$FFDBItem`" -i `"$FFCertificateListItemFull`"" Write-Host $ExpressionToAddCerts Invoke-Expression $ExpressionToAddCerts #PAUSE }} PAUSE} Function PurgeLegacyCertificates { Write-Host "#############################" ForEach ($FFDBItem in $FFDBList) { ForEach ($LegacyCertificateItem in $LegacyCertificates) { $LegacyCertificateItemFull = $LegacyCertificateItem.FullName Write-Host "Purging Old Certs ($LegacyCertificateItem) for $FFDBitem" #$ExpressionToDeleteLegacyCerts = "$FFCertTool -D -n `"$OldCertificate`" -d `"$FFDBItem`"" $ExpressionToDeleteLegacyCerts = "$FFCertTool -D -n `"$LegacyCertificateItem`" -d `"$FFDBItem`"" ForEach ($LegacyCertificate in $LegacyCertificates) { Invoke-Expression $ExpressionToDeleteLegacyCerts} }} PAUSE} ################################################################################################## ################################################################################################## # Creating a few options to invoke the various functions created above $CertificateAction = "" Function CertificateActionSelection { Do { Clear $CertificateAction = Read-Host "Would you like to [L]ist all certificates [D]elete all old certificates, [A]dd new certificates, or [P]urge legacy certificates?" } Until ($CertificateAction -eq "L" -or $CertificateAction -eq "D" -or $CertificateAction -eq "A" -or $CertificateAction -eq "P" ) If ($CertificateAction -eq "L") {ListCertificates} If ($CertificateAction -eq "D") {DeleteOldCertificates} If ($CertificateAction -eq "A") {AddCertificates} If ($CertificateAction -eq "P") {PurgeLegacyCertificates} } Do { Clear $MoreCertificateActions = Read-Host "Would you like to [L]aunch Firefox (as $env:USERNAME), take a [C]ertificate action, or [Q]uit?" If ($MoreCertificateActions -eq "L") { Invoke-Item $FireFoxExecutable Exit} If ($MoreCertificateActions -eq "C") {CertificateActionSelection} } Until ($MoreCertificateActions -eq "Q") Remove-Item $FFCertLocationLocal -Recurse Set-ExecutionPolicy $ExecutionPolicyOriginal Exit