Is there a way do deploy remotely new CA certificates to Firefox installs?
In other words, has anything changed since this question was answered Installing a CA certificate on multiple Windows machines (IE/Firefox)
Windows – How to deploy new CA certificate to Firefox installs
deploymentdomainfirefoxwindows
Related Solutions
I had the same problem - bought a basic SSL certificate (from Network Solutions), installed it under nginx, and it worked fine in both Opera and IE - but not Firefox 3.6.12. This is how I solved the problem. Note that I have root/shell access to my VPS, I don't know if you do (at least this might point your providers in the right direction).
The first step in finding the solution was using Qualys (as per this other answer). It told me that the chain was incomplete.
Second, I used OpenSSL for testing/debugging. Assuming you have shell access, you can do the command (q or CTRL-C to disconnect):
openssl s_client -connect mysite.com:443
and you will probably see the error "unable to get local issuer certificate". This is also a way to test when it's working, in the shell, without running Firefox.
SSL Certificate Chains
Some browsers may complain about a certificate signed by a well-known certificate authority, while other browsers may accept the certificate without issues. This occurs because the issuing authority has signed the server certificate using an intermediate certificate that is not present in the certificate base of well-known trusted certificate authorities which is distributed with a particular browser. In this case the authority provides a bundle of chained certificates which should be concatenated to the signed server certificate. The server certificate must appear before the chained certificates in the combined file
Nginx configuration
In my case, I had gotten three files from Network Solutions - mysite.com.crt, AddTrustExternalCARoot.crt, and NetworkSolutionsDVServerCA.crt. There was no bundle file, but it's possible to create one from the other certificates. After some trial-and-error, I found what I needed was:
$ cat mysite.com.crt NetworkSolutionsDVServerCA.crt > mysite.com.chain.crt
The final step was to reconfigure my nginx server with the new file:
server {
listen 443;
ssl on;
ssl_certificate /etc/ssl/certs/mysite.com.chain.crt;
ssl_certificate_key /etc/ssl/private/mysite.com.key;
server_name mysite.com;
# and so on
}
After getting the right certificates in the bundle, and restarting nginx, openssl reported no errors, Firefox got the page with no problem, and Qualys reported the chain was valid.
Apache configuration
Since you're running Apache, then you (or your providers) need to configure it for SSL with the correct file locations, one of which is the missing intermediate chain file:
<VirtualHost 192.168.0.1:443>
DocumentRoot /var/www/html2
ServerName www.yourdomain.com
SSLEngine on
SSLCertificateFile /path/to/your_domain_name.crt
SSLCertificateKeyFile /path/to/your_private.key
SSLCertificateChainFile /path/to/DigiCertCA.crt
</VirtualHost>
Two ways to set this up on Chrome:
- Set MCX preferences using the Workgroup Manager to configure the RestoreOnStartupURLs policy. See http://www.chromium.org/administrators/policy-list-3#RestoreOnStartup.
- Set a master preferences file with the desired homepage/startup URLs, and it will be automatically imported for new chrome profiles.
More details on both solution at http://www.chromium.org/administrators.
Best Answer
With
certutilfrom NSS Tools [1] you can administer the certificate databases used by softwares like Firefox and Thunderbird [2]:Example that adds "mycompany.pem" certificate file as "mycompany" into Firefox profile and set to trusts it as a CA that can issue client certificates for SSL, e-mail and signing (
_C,C,C) as well as server certificates for SSL (T_,_,_). Should be done when software is not running.You could also run the first command via PsTools's
PsExec.NSS Tools sources can be grabbed from https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/ (some Windows binaries can be found on the Internet but given the security nature: it's better to compile it yourself)
[1]: Network Security Services: https://developer.mozilla.org/docs/NSS/tools/NSS_Tools_certutil
[2]: They are using a Netscape Communicator database with files
cert8.dbandkey3.db.