Add certificate authorities system-wide on Firefox

Add certificate authorities system-wide on Firefox Техника

I want to add some root CAs that doesn’t come with the default firefox on Ubuntu, but I don’t know how.

I tried adding them to the local certificates with certutil, but it didn’t work. It messed up my certificates database.

$ certutil -A -d .mozilla/firefox/kek3dogy.default/ -i /usr/local/share/ca-certificates/FNMT_ACRAIZ.crt -n "Certificado Raiz FNMT" -t "TCu,Cuw,Tuw"
$ certutil -L -d .mozilla/firefox/kek3dogy.default/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Go Daddy Secure Certification Authority                      ,,   
VeriSign Class 3 Secure Server CA - G3                       ,,   
VeriSign Class 3 Extended Validation SSL CA                  ,,   
DigiCert High Assurance CA-3                                 ,,   
GlobalSign Domain Validation CA - G2                         ,,   
GeoTrust SSL CA                                              ,,   
StartCom Class 2 Primary Intermediate Server CA              ,,   
Google Internet Authority                                    ,,   
Certificado Raiz FNMT                                        CT,C,c
USERTrust Legacy Secure Server CA                            ,,   
HP Jetdirect 2B0EAD20                                        ,,   
Akamai Subordinate CA 3                                      ,,   
VeriSign, Inc.                                               ,,   
Thawte SGC CA                                                ,,   
VeriSign Class 3 Secure Server CA - G2                       ,,

The certificate won’t show up on Firefox. I tried this several times, even deleting the profile, and it showed up once on the Firefox interface, but completely empty.

Add certificate authorities system-wide on Firefox

To do this download the certificate and save it to your hard disk or launch it from the current place.

If you have launched the certificate file then you will see the «Downloading Certificate» window:#1 (see Next).

If you have saved the certificate to the hard disk, then go to the Options menu and select Privacy&Security. Go to the Sertificate section and click the «View certificates» button.

Add certificate authorities system-wide on Firefox

Add certificate authorities system-wide on Firefox

Find the saved certificate file on the hard disk and click the «Open» button.

Add certificate authorities system-wide on Firefox

In the Downloading Certificate window it is necessary to select for what purposes you trust the certificate.

Add certificate authorities system-wide on Firefox

Select all of the checkboxes presented and click the «OK» button.

Add certificate authorities system-wide on Firefox

To check whether you did everything correctly in the Certificate Manager window select the Authorities tab, and at the end of the list you should be able to find the root certificate you have just installed.

Select it and click on «View».

Add certificate authorities system-wide on Firefox

Verify that the certificate is valid and its validity period ends 03/10/2035

Add certificate authorities system-wide on Firefox

Close all windows and check that the certificate is working by establishing a secure connection with the website.

See also: Configuring Mozilla Firefox
Registering WM Keeper WebPro in Mozilla Firefox
Keeper WebPro personal certificate export in Mozilla Firefox
Keeper WebPro personal certificate import in Mozilla Firefox

  1. Go to the Windows CA server, in my case https://ca.example.com/certsrv/.
  2. Select ‘Download a CA certificate, certificate chain, or CRL.
  3. Select DER and ‘Download CA certificate’
  4. This will download a certnew.cer file
  5. Convert the certificate to the proper format with openssl. We can do this step on either Windows or Linux, in the sample below we will use our Windows system:
  1. We must now get the contents of this ca-example-com.crt file copied to our Linux VM. At this point the certificate is in a text format, so I chose to create a new file and paste in the contents. For example:
  1. We must now change the permissions of the file such that the owner has read/write and all other users can read. We will do this with the following command:
  1. Now that the certificate is in the proper location, format, and permissions, we’ll run the update process:

From here we could test and confirm that our certificate is properly installed on the system by trying to access a site using this cert. For example: wget https://vc1.example.com

This should no longer return text similar to Unable to locally verify the issuer's authority.

Next we need to update Firefox to trust this root certificate as well. We will do this by creating a custom Firefox policy on the system. To begin we will create a policy file with a text editor, for example:sudo nano /usr/lib/firefox/distribution/policies.json

The next time you start Firefox, this root certificate will be trusted and you should no longer receive warnings when browsing your internal sites.

Дополнительно:  Using the chown Command to Change File Ownership in Linux

This entry was posted in Lab Infrastructure. Bookmark the permalink.

Profile picture for user Олег

Security

В связи с санкциями многие иностранные сервисы отказываются выдавать или продлевать сертификаты безопасности для сайтов в домене RU. Возможно, это просто связано с невозможностью произвести оплату за сертификат. К тому же сохраняется риск отзыва уже выданных сертификатов, непонятно, правда, зачем их отзывать, если они сами протухнут через год.

В итоге многие учреждения переходят на использование сертификатов, выдаваемых Министерством цифрового развития, связи и массовых коммуникаций Российской Федерации. Сертификаты пока раздают только юридическим лицам и процесс этот небыстрый. На данный момент выпущено 4883 сертификата.

И вот тут возникает маленькая, но очень большая проблема. Корневой сертификат Минцифры не поддерживается обычными браузерами, сайты с таким сертификатом не будут открываться.

Настройка российских сертификатов в разных ОС

Windows — поддержка работы сайтов с российскими сертификатами

MacOS — поддержка работы сайтов с российскими сертификатами

iOS — поддержка работы сайтов с российскими сертификатами

Android — поддержка работы сайтов с российскими сертификатами

Red Hat Enterprise Linux — поддержка работы сайтов с российскими сертификатами

Устанавливаем корневой сертификат Russian Trusted Root CA в Windows

Качаем корневой сертификат здесь:

ssl

ssl

Распаковываем. Внутри два файла:

  • rootca_ssl_rsa2022.cer — корневой сертификат.
  • rootca_ssl_rsa2022.cer.detached.sig — отделённая подпись корневого сертификата, она нам не понадобится.

Нажимаем правой кнопкой на rootca_ssl_rsa2022.cer, «Установить сертификат».

ssl

Для применения сертификата для всех пользователей компьютера выбираем «Локальный компьютер», Далее.

ssl

ssl

ssl

OK. Перезагружаем компьютер.

Если посмотреть в оснастку сертификатов локального компьютера, то можно увидеть в доверенных корневых центрах сертификации новый сертификат Russian Trusted Root CA.

ssl

Сайты с сертификатами выданными Минцифры теперь будут открываться во всех браузерах. Кроме Mozilla Firefox, у этого браузера своё хранилище сертификатов и корневой сертификат нужно добавлять уже через настройки браузера.

Устанавливаем корневой сертификат Russian Trusted Root CA в Mozilla Firefox

Запускаем Mozilla Firefox. Открываем настройки безопасности.

about:preferences#privacy

ssl

ssl

ssl

Устанавливаем обе галки для доверия. OK.

ssl

Сайты с сертификатами выданными Минцифры теперь будут открываться в браузере Mozilla Firefox.

Ещё

Сертификаты и инструкции по установки для Android, iOS, MacOS и Windows можно найти здесь:

lts

Can anyone point me to a good tutorial on installing a root certificate on Ubuntu?

Kevin Bowen's user avatar

55 gold badges76 silver badges81 bronze badges

asked Oct 28, 2011 at 18:01

Sparky1's user avatar

  1. sudo mkdir /usr/local/share/ca-certificates/extra
    
  2. Copy the CA .crt file to this directory:

    sudo cp foo.crt /usr/local/share/ca-certificates/extra/foo.crt
    
  3. sudo dpkg-reconfigure ca-certificates
    

    To do this non-interactively, run:

    sudo update-ca-certificates
    

In case of a .pem file on Ubuntu, it must first be converted to a .crt file:

openssl x509 -in foo.pem -inform PEM -out foo.crt

Or a .cer file can be converted to a .crt file:

openssl x509 -inform DER -in foo.cer -out foo.crt

BeastOfCaerbannog - On strike's user avatar

answered Jan 12, 2012 at 12:37

Bai's user avatar

2 gold badges15 silver badges6 bronze badges

sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt

then, update CA store

sudo update-ca-certificates

That’s all. You should get this output:

Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....
Adding debian:foo.pem
done.
done.

No file is needed to edit. Link to your CA is created automatically.

Please note that the certificate filenames have to end in .crt, otherwise the update-ca-certificates script won’t pick up on them.

This procedure works also in newer versions: manuals.

Дополнительно:  Синий экран смерти - что это?

Franc Drobnič's user avatar

answered Nov 15, 2013 at 17:44

Frantisek Boranek's user avatar

Clarification between update-ca-certificates and dpkg-reconfigure ca-certificates and why one works and the other does not!!

  • update-ca-certificates or sudo update-ca-certificates will only work if /etc/ca-certificates.conf has been updated.

  • /etc/ca-certificate.conf is only updated once you ran dpkg-reconfigure ca-certificates which updates the certificate names to be imported into /etc/ca-certificates.conf.

This is stated in the header of the /etc/ca-certificates.conf file:

# This file lists certificates that you wish to use or to ignore to be
# installed in /etc/ssl/certs.
# update-ca-certificates(8) will update /etc/ssl/certs by reading this file.
#
# This is autogenerated by dpkg-reconfigure ca-certificates.  <=======
# Certificates should be installed under /usr/share/ca-certificates
# and files with extension '.crt' is recognized as available certs.
#
# line begins with # is comment.
# line begins with ! is certificate filename to be deselected.
#
mozilla/ACCVRAIZ1.crt
mozilla/AC_RAIZ_FNMT-RCM.crt
mozilla/Actalis_Authentication_Root_CA.crt
mozilla/AddTrust_External_Root.crt
...

As you can see, the format in /etc/ca-certificates.conf is <folder name>/<.crt name>

  1.  sudo mkdir /usr/share/ca-certificates/extra
    
  2. Copy the .crt file to this directory:

     sudo cp foo.crt /usr/share/ca-certificates/extra/foo.crt
    
  3. Append a line to /etc/ca-certificates.conf using <folder name>/<.crt name>:

     echo "extra/foo.crt" | sudo tee -a /etc/ca-certificates.conf
    
  4. Update certs non-interactively with sudo update-ca-certificates

     $ sudo update-ca-certificates
     ...
     Updating certificates in /etc/ssl/certs...
     1 added, 0 removed; done.
    

éclairevoyant's user avatar

answered Jul 19, 2019 at 12:23

mahatmanich's user avatar

6 silver badges13 bronze badges

In most cases running an own CA (certification authority) is not advisable. But there are exceptions: If you want to secure internal services of your company, using your own CA might be necessary. During my employment at ADITO Software GmbH I created a tool for X.509 certificate management. The root certificate of my tool had to be imported into every PC of the company. Unfortunately there are some pitfalls which I did not expect, but after some research I figured out how to import the new CA to Linux- and Windows PCs and to every major webbrowser.

Linux

System (Debian / Ubuntu)

Installing the root certificate on a Linux PC is straight forward:

sudo mkdir /usr/local/share/ca-certificates/extra
sudo cp root.cert.pem /usr/local/share/ca-certificates/extra/root.cert.crt
sudo update-ca-certificates

After these steps the new CA is known by system utilities like curl and get. Unfortunately, this does not affect most web browsers like Mozilla Firefox or Google Chrome.

System (Fedora)

Setup on Fedora Linux is a bit different:

sudo cp root.cert.pem /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust

Browser (Firefox, Chromium, …)

Manual setup of your certificate is also possible via GUI, e.g. in Firefox: “Settings” => “Privacy and Security” => “Show certificates” => “Certificate authorities” => “Import” (Similar in Chromium)

sudo apt install libnss3-tools

This little helper script finds trust store databases and imports the new root certificate into them.

#!/bin/bash

### Script installs root.cert.pem to certificate trust store of applications using NSS
### (e.g. Firefox, Thunderbird, Chromium)
### Mozilla uses cert8, Chromium and Chrome use cert9

###
### Requirement: apt install libnss3-tools
###


###
### CA file to install (CUSTOMIZE!)
###

certfile="root.cert.pem"
certname="My Root CA"


###
### For cert8 (legacy - DBM)
###

for certDB in $(find ~/ -name "cert8.db")
do
    certdir=$(dirname ${certDB});
    certutil -A -n "${certname}" -t "TCu,Cu,Tu" -i ${certfile} -d dbm:${certdir}
done


###
### For cert9 (SQL)
###

for certDB in $(find ~/ -name "cert9.db")
do
    certdir=$(dirname ${certDB});
    certutil -A -n "${certname}" -t "TCu,Cu,Tu" -i ${certfile} -d sql:${certdir}
done

After execution of this script your root CA should be known to Firefox, Chrome, Chromium, Vivaldy and other browsers.

Windows

System

New root certificates can easily be imported into Windows via Active Directory. However, if you do not have Active Directory enabled on your Windows machines, this is how you manually import your certificate:

Change your certificate’s file name extension from .pem to .crt and open the file. Then select “Install certificate” => “Local machine” and browse the certificate store. Your certificate should be installed into “Trusted Root Certification Authorities”.

On Windows most webbrowsers and other applications use the OS trust store, so Google Chrome and Vivaldi should accept your certificates instantly. However, Firefox needs special treatment ..

Дополнительно:  Как исправить ошибку 0x00000113: VIDEO DXGKRNL FATAL ERROR на Windows 7

Mozilla Firefox

Like on Linux platforms, Firefox uses its own certificate trust store. You can manually import your root certificate via the Firefox settings, or force Firefox to use the Windows trust store:

/* Enable experimental Windows trust store support */
pref("security.enterprise_roots.enabled", true);

Firefox should know your CA after a browser restart.

Installing the Certificate

sudo cp example.crt /etc/ssl/certs
sudo cp example.key /etc/ssl/private

Now simply configure any applications, with the ability to use public-key cryptography, to use the certificate and key files. For example, Apache can provide HTTPS, Dovecot can provide IMAPS and POP3S, etc.

answered Oct 28, 2011 at 18:05

jat255's user avatar

6 silver badges17 bronze badges

answered Mar 29, 2018 at 21:26

pizzamonster's user avatar

Here are the simple steps:

  1. Install CA certificates to allow SSL-based applications to check for the authenticity of SSL connections:

    sudo apt-get install ca-certificates
    
  2. sudo cp file.crt /usr/local/share/ca-certificates/
    

    For PEM file, see: Convert .pem to .crt and .key.

    Optionally, if using Charles proxy, this command can work:

    curl -L chls.pro/ssl | sudo tee /usr/local/share/ca-certificates/charles.crt
    
  3. sudo update-ca-certificates
    

    The command will update /etc/ssl/certs directory to hold SSL certificates and generates ca-certificates.crt file (a concatenated single-file list of certificates).

    Note: Don’t add certificates manually (as suggested here), as they are not persistent and going to be removed.

Note: If you’re running as root, you can drop the sudo from the above commands.

answered May 17, 2019 at 11:07

kenorb's user avatar

2 gold badges76 silver badges90 bronze badges

Install a Certificate Authority on Ubuntu

I have tested this on Ubuntu 14.04.

Here is my solution, I looked and looked for a long time trying to figure out how to get this to work.

  1. Extract the .cer from browser. I used IE 11.
    • Settings -> Internet Options -> Intermediate Certificate Authorities
    • Select The Certificate Authority You Want To Export (certutil -config - -ping will show you the ones you are using if you are behind a corporate proxy)
    • Export -> Select The Format You Want To Use: DER Encoded .cer
  2. Get the .cer files to Ubuntu somehow
  3. Convert to .crt openssl x509 -inform DER -in certificate.cer -out certificate.crt
  4. Make extra directory sudo mkdir /usr/share/ca-certificates/extra
  5. Copy certificates over sudo cp certificate.crt /usr/share/ca-certificates/extra/certificate.crt
  6. sudo update-ca-certificates
  7. If not, then you have to do what I did, go to sudo nano /etc/ca-certificates.conf
  8. Scroll down and find your .cer and remove the ! from in front of the file name (update-ca-certificates doc) — if you don’t find your certificate run dpkg-reconfigure ca-certificates
  9. Run sudo update-ca-certificates
  10. You may need to individually trust the CAs from Firefox, Chrome, etc.. , I needed it to work with Docker so after these steps it worked with Docker.

scandar's user avatar

1 silver badge3 bronze badges

answered Sep 13, 2016 at 19:50

Alex's user avatar

2 silver badges3 bronze badges

cat YOUR_CERT_HERE.crt >> /etc/ssl/certs/ca-certificates.crt 

mahatmanich's user avatar

answered Nov 6, 2018 at 21:34

Jasmit Tarang's user avatar

Have the (root / CA) certificate available on a web server, local to your network if you like.

  • Browse to it with Firefox.
  • Open the cert and tell Firefox to add it as an exception.
  • Firefox will ask you whether you want to trust this certificate for identifying websites, for e-mail users or for software publishers.
  • Enjoy!

Update: It will be necessary to check if this works on Ubuntu 11. I’ve realised that I just did this on Ubuntu 12.04 LTS.

Eliah Kagan's user avatar

54 gold badges315 silver badges489 bronze badges

answered Jun 29, 2012 at 5:54

Ian Green's user avatar

Оцените статью
Master Hi-technology
Добавить комментарий