Open erbayaskin opened 6 years ago
Hi, I search also one solution for this problem. I have tested of rebuild the last NSS certutil version but It's very complicate for me and not work. If you have resolved this, can you contact me? Best regards Olivier
Hi, I solved this problem. I want to learn where you will use this batch file. Best Regards Erbay
2018-03-27 21:23 GMT+03:00 oguilb notifications@github.com:
Hi, I search also one solution for this problem. I have tested of rebuild the last NSS certutil version but It's very complicate for me and not work. If you have resolved this, can you contact me? Best regards Olivier
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/christian-korneck/firefox_add-certs/issues/10#issuecomment-376626091, or mute the thread https://github.com/notifications/unsubscribe-auth/AiZ0tign8on816D0IB-vBaHvsEWyx6odks5tioOcgaJpZM4R3Wqo .
Hi ! I use this script to install my certificate used to connect an websocket. Best regards Olivier
@echo off setlocal if not defined programfiles(x86) set programfiles(x86)=%programfiles% set dfltProfile=%programfiles(x86)%\Mozilla Firefox\browser\defaults\Profile if not exist "%programfiles(x86)%\Mozilla Firefox" set dfltProfile=%programfiles%\Mozilla Firefox\browser\defaults\Profile if not exist "%dfltProfile%" mkdir "%dfltProfile%" setlocal ENABLEDELAYEDEXPANSION set replacepath=%~dp0cacert\ FOR /R "%~dp0" %%C IN (cacert*.crt) DO ( set certificatepath=%%C set cert=!certificatepath:%replacepath%=! set cert=!cert:.crt=! set cert=!cert:.cacert=! set cert=AddedByUser !cert! "%~dp0bin\certutil.exe" -A -n "!cert!" -i "%%C" -t "cTC,cTC,cTC", -d sql:"%dfltProfile%" "%~dp0bin\certutil.exe" -A -n "!cert!" -i "%%C" -t "cTC,cTC,cTC", -d "%dfltProfile%" ) setlocal DISABLEDELAYEDEXPANSION setlocal ENABLEDELAYEDEXPANSION set replacepath=%~dp0cacert\ FOR /D %%U IN ("%systemdrive%\Users*") DO ( FOR /R "%~dp0" %%C IN (cacert*.crt) DO ( set certificatepath=%%C set cert=!certificatepath:%replacepath%=! set cert=!cert:.crt=! set cert=!cert:.cacert=! set cert=AddedByUser !cert! FOR /D %%P IN ("%%U\AppData\Roaming\Mozilla\Firefox\Profiles*") DO "%~dp0bin\certutil.exe" -A -n "!cert!" -i "%%C" -t "cTC,cTC,cTC", -d sql:"%%P" FOR /D %%P IN ("%%U\AppData\Roaming\Mozilla\Firefox\Profiles*") DO "%~dp0bin\certutil.exe" -A -n "!cert!" -i "%%C" -t "cTC,cTC,cTC", -d "%%P"
)) setlocal DISABLEDELAYEDEXPANSION setlocal ENABLEDELAYEDEXPANSION set replacepath=%~dp0cacert\ FOR /R "%~dp0" %%C IN (cacert*.crt) DO ( set certificatepath=%%C set cert=!certificatepath:%replacepath%=! set cert=!cert:.crt=! set cert=!cert:.cacert=! set cert=AddedByUser !cert! FOR /D %%P IN ("%appdata%\Mozilla\Firefox\Profiles*") DO ( "%~dp0bin\certutil.exe" -A -n "!cert!" -i "%%C" -t "cTC,cTC,cTC", -d sql:"%%P" ) FOR /D %%P IN ("%appdata%\Mozilla\Firefox\Profiles*") DO ( "%~dp0bin\certutil.exe" -A -n "!cert!" -i "%%C" -t "cTC,cTC,cTC", -d "%%P" )) setlocal DISABLEDELAYEDEXPANSION setlocal ENABLEDELAYEDEXPANSION set replacepath=%~dp0cacert\ FOR /R "%~dp0" %%C IN (cacert*.crt) DO ( set certificatepath=%%C set cert=!certificatepath:%replacepath%=! set cert=!cert:.crt=! set cert=!cert:.cacert=! set cert=AddedByUser !cert! "%~dp0bin\certutil.exe" -L -d sql:"%dfltProfile%" | findstr /i "!cert!" >NUL "%~dp0bin\certutil.exe" -L -d "%dfltProfile%" | findstr /i "!cert!" >NUL set myerrorlevel=%errorlevel% if /i "!myerrorlevel!" NEQ "0" echo [ERROR] post-check: no certificate in db "!dfltProfile!": !cert! if /i "!myerrorlevel!" NEQ "0" exit /B 2 ) setlocal DISABLEDELAYEDEXPANSION exit /B 0
2018-04-04 23:17 GMT+03:00 oguilb notifications@github.com:
Hi ! I use this script to install my certificate used to connect an websocket. Best regards Olivier
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/christian-korneck/firefox_add-certs/issues/10#issuecomment-378731371, or mute the thread https://github.com/notifications/unsubscribe-auth/AiZ0tvDkeoZyf0bPxkfdzwJ11HxTe2oNks5tlSpxgaJpZM4R3Wqo .
with cert9.db there must a sql: for the filestring: ... -d sql:FIREFOXPROFIL
@HalliHalloSchatz thanks, can you send a merge request?
@christian-korneck as erbayaskin suggested and @alliHalloSchatz reminded us, there is only a sql: indicator missing between -d and the
I think erbayaskin pasted his solution in this issue based on some older trunk. Though it needs some polishing by adding/removing newlines. He also changed some of the variables from firefoxdefaultprofile to dfltProfile, certfile to cert and certpath to certificatepath. Besides that he switched from cacert*.pem to cacert*.crt. And finally he dropped the copying of the empty cert.db8, key3.db and secmod.db as that may not make sense for x86_64 bit where one would need an empty cert.db9.
Though he did not change the path of the programfiles(x86) to 64bit, which you fixed in the current master branch.
I tried to redo the changes he did to your current trunk and have the file attached for x86_64 to be modified too. Please double check and add to your repo as I am behind a firewall with no access to generate a pull request.
Kind regards, Stefan
thanks everyone and sorry for the late response, I didn't have attention on this repo for a while. I'll have a look at it soon. If anyone wants to send a PR I'd appreciate it. (If not, that's ok too, but might take me longer).
Hi Christian, thanks for your quick response. I have digged a bit deeper and it appears the following has changed from 2009 onwards according to the pk12util man page. I.e. the files that ebayaskin removed from the script should also not be present in the current 32bit version. Instead these are replaced by two sqllite databases and the pkcs11.txt file. Kind regards, Stefan
PK12UTIL(1) NSS Security Tools PK12UTIL(1) https://www.linux.org/docs/man1/pk12util.html
_NSS DATABASE TYPES NSS originally used BerkeleyDB databases to store security information. The last versions of these legacy databases are: · cert8.db for certificates · key3.db for keys · secmod.db for PKCS #11 module information BerkeleyDB has performance limitations, though, which prevent it from being easily used by multiple applications simultaneously. NSS has some flexibility that allows applications to use their own, independent database engine while keeping a shared database and working around the access issues. Still, NSS requires more flexibility to provide a truly shared security database.
In 2009, NSS introduced a new set of databases that are SQLite databases rather than BerkleyDB. These new
databases provide more accessibility and performance:
· cert9.db for certificates
· key4.db for keys
· pkcs11.txt, which is listing of all of the PKCS #11 modules contained in a new subdirectory in the
security databases directory
Because the SQLite databases are designed to be shared, these are the shared database type. The shared
This line can be set added to the ~/.bashrc file to make the change permanent.
Most applications do not use the shared database by default, but they can be configured to use them. For
example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS
databases:
· https://wiki.mozilla.org/NSS_Shared_DB_Howto
For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki:
· https://wiki.mozilla.org/NSS_Shared_DB_
Hello Christian, It can work with 32 bit Firefox, but only 64 bit Firefox can't work succesfull. It can't add CA certificate to only 64 bit Firefox(doesn't have been setuping 32 bit firefox). Maybe certutil.exe adds CA cert to cert8.db, doesn't adds cert9.db. What can i do my CA certificate for to add 64 bit Firefox store. I am waiting your answers. Thanks. Best regards. Erbay Aşkın.