Skip to content
This repository was archived by the owner on Dec 21, 2021. It is now read-only.

Commit 994ded7

Browse files
christian-korneckchristian-korneck
committed
initial commit
0 parents  commit 994ded7

File tree

10 files changed

+896
-0
lines changed

10 files changed

+896
-0
lines changed

.gitignore

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
*.exe
2+
*.dll
3+
thumbs.db
4+
/notes.txt
5+
/cacert/CACert*

README.md

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
firefox_add-certs
2+
===========
3+
4+
script to add new CA certificates to the Firefox trusted certificate store on Windows
5+
6+
7+
Description
8+
-------------
9+
Unlike other browsers, Firefox doesn't use the Windows certificate store, but comes with its own hardcoded list of trusted Certificate Authorities. New CA certificates can be added through the GUI and are stored in the user's Firefox profile.
10+
This cmd script is a very thin wrapper around Mozilla's NSS certutil command line tool, that adds all CA certificates from a given folder as trusted to:
11+
-the default Firefox profile (so that any newly created Firefox profile will automatically have them)
12+
-the Firefox profiles of all users on the local Windows machine (appropriate write permissions to these user profiles needed)
13+
14+
The release download includes a build of the NSS `certutil.exe`.
15+
16+
Usage
17+
-------------
18+
-download and extract the ZIP file from the [release page](https://github.com/christian-korneck/firefox_add-certs/releases) (includes the NSS certutil.exe binaries)
19+
-put all CA certificates that you want to add in the folder: `cacert\`
20+
-note: For testing, the CA folder includes the [CACert.org](http://www.cacert.org/) root and intermediate certificates. Remove them if you don't want to add them.
21+
-run `add-certs.cmd` with admin privileges
22+
23+
Requirements
24+
-------------
25+
-the bundeled certutil.exe might require [vcredist 12.0/2013 32bit](http://www.microsoft.com/en-us/download/details.aspx?id=40784)
26+
-tested with Firefox 39.0, Windows 8.1

add-certs.cmd

Lines changed: 78 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,78 @@
1+
@echo off
2+
setlocal
3+
4+
REM #### general config
5+
if not defined programfiles(x86) set programfiles(x86)=%programfiles%
6+
set firefoxdefaultprofile=%programfiles(x86)%\Mozilla Firefox\browser\defaults\Profile
7+
8+
9+
REM #### default firefox profile
10+
if not exist "%programfiles(x86)%\Mozilla Firefox" exit /B 1
11+
if not exist "%firefoxdefaultprofile%" mkdir "%firefoxdefaultprofile%"
12+
if not exist "%firefoxdefaultprofile%\cert8.db" copy /y "%~dp0db\empty\cert8.db" "%firefoxdefaultprofile%\" >NUL
13+
if not exist "%firefoxdefaultprofile%\key3.db" copy /y "%~dp0db\empty\key3.db" "%firefoxdefaultprofile%\" >NUL
14+
if not exist "%firefoxdefaultprofile%\secmod.db" copy /y "%~dp0db\empty\secmod.db" "%firefoxdefaultprofile%\" >NUL
15+
16+
setlocal ENABLEDELAYEDEXPANSION
17+
set replacepath=%~dp0cacert\
18+
FOR /R "%~dp0" %%C IN (cacert\*.pem) DO (
19+
set certpath=%%C
20+
set certfile=!certpath:%replacepath%=!
21+
set certfile=!certfile:.pem=!
22+
set certfile=!certfile:.cacert=!
23+
set certfile=AddedByUser !certfile!
24+
"%~dp0bin\certutil.exe" -A -n "!certfile!" -i "%%C" -t "cTC,cTC,cTC", -d "%firefoxdefaultprofile%"
25+
)
26+
setlocal DISABLEDELAYEDEXPANSION
27+
28+
29+
REM ####user profiles
30+
setlocal ENABLEDELAYEDEXPANSION
31+
set replacepath=%~dp0cacert\
32+
FOR /D %%U IN ("%systemdrive%\Users\*") DO (
33+
FOR /D %%P IN ("%%U\AppData\Roaming\Mozilla\Firefox\Profiles\*") DO if not exist "%%P\cert8.db" copy /y "%~dp0db\empty\cert8.db" "%%P\" >NUL
34+
FOR /D %%P IN ("%%U\AppData\Roaming\Mozilla\Firefox\Profiles\*") DO if not exist "%%P\key3.db" copy /y "%~dp0db\empty\key3.db" "%%P\" >NUL
35+
FOR /D %%P IN ("%%U\AppData\Roaming\Mozilla\Firefox\Profiles\*") DO if not exist "%%P\secmod.db" copy /y "%~dp0db\empty\secmod.db" "%%P\" >NUL
36+
FOR /R "%~dp0" %%C IN (cacert\*.pem) DO (
37+
set certpath=%%C
38+
set certfile=!certpath:%replacepath%=!
39+
set certfile=!certfile:.pem=!
40+
set certfile=!certfile:.cacert=!
41+
set certfile=AddedByUser !certfile!
42+
FOR /D %%P IN ("%%U\AppData\Roaming\Mozilla\Firefox\Profiles\*") DO "%~dp0bin\certutil.exe" -A -n "!certfile!" -i "%%C" -t "cTC,cTC,cTC", -d "%%P"
43+
))
44+
setlocal DISABLEDELAYEDEXPANSION
45+
46+
setlocal ENABLEDELAYEDEXPANSION
47+
set replacepath=%~dp0cacert\
48+
FOR /R "%~dp0" %%C IN (cacert\*.pem) DO (
49+
set certpath=%%C
50+
set certfile=!certpath:%replacepath%=!
51+
set certfile=!certfile:.pem=!
52+
set certfile=!certfile:.cacert=!
53+
set certfile=AddedByUser !certfile!
54+
FOR /D %%P IN ("%appdata%\Mozilla\Firefox\Profiles\*") DO (
55+
"%~dp0bin\certutil.exe" -A -n "!certfile!" -i "%%C" -t "cTC,cTC,cTC", -d "%%P"
56+
))
57+
setlocal DISABLEDELAYEDEXPANSION
58+
59+
60+
REM #### postcheck (check only on default profile, not individual user profiles)
61+
setlocal ENABLEDELAYEDEXPANSION
62+
set replacepath=%~dp0cacert\
63+
FOR /R "%~dp0" %%C IN (cacert\*.pem) DO (
64+
set certpath=%%C
65+
set certfile=!certpath:%replacepath%=!
66+
set certfile=!certfile:.pem=!
67+
set certfile=!certfile:.cacert=!
68+
set certfile=AddedByUser !certfile!
69+
"%~dp0bin\certutil.exe" -L -d "%firefoxdefaultprofile%" | findstr /i "!certfile!" >NUL
70+
set myerrorlevel=%errorlevel%
71+
if /i "!myerrorlevel!" NEQ "0" echo [ERR2] post-check: certificate not in db "!firefoxdefaultprofile!": !certfile!
72+
if /i "!myerrorlevel!" NEQ "0" exit /B 2
73+
)
74+
setlocal DISABLEDELAYEDEXPANSION
75+
76+
77+
REM #### eof
78+
exit /B 0

0 commit comments

Comments
 (0)