Hi Mike. Thank you for pointing me to certutil. Do you know of any easy way to build the binary on a mac so it can be run on multiple machines without installing homebrew? I haven't ever used mercurial and am just trying to have this run once on each of the machines we manage.
Or if there is an easier method, I am all ears. At the end of the day I just want to add certificates to the Macs so they don't get untrusted cert errors. Thank you! On Wed, May 23, 2018 at 3:16 PM, Mike Kaply <[email protected]> wrote: > You can use certutil to just add the cert to the Firefox DB. > > I'm also working on adding cert import support to our policy engine. > > Mike > > On Wed, May 23, 2018 at 2:13 PM, Ben Bass <[email protected]> wrote: > >> Hi Todd. >> >> It seems that this tool is only for PFX/P12 exports of the cert - my web >> team is not going to give me the private keys to the cert, do you know of >> any other way of getting the web browser to trust a cert with just having >> access to a cer file? >> >> Thank you! >> >> ----------------------------------------------------------- >> >> Ben Bass, >> Jamf; CCT, CCA, CJA, CCE >> SANS; GSEC >> <https://www.youracclaim.com/badges/f4d7c7e5-a7d1-42e4-8086-aafaed29deba> >> Macintosh Client Security Systems Engineer >> (917) 536-0998 >> [email protected] >> >> >> >> On Wed, May 23, 2018 at 12:36 PM, Houle, Todd - 1120 - MITLL < >> [email protected]> wrote: >> >>> I use pk12util to add certs to firefox cert database. pk12util is part >>> of Mozilla’s NSS tools (https://developer.mozilla.org >>> /en-US/docs/Mozilla/Projects/NSS/tools). You could use homebrew to get >>> them, but I prefer to compile myself. >>> >>> >>> >>> SCRIPTPATH="$( cd "$(dirname "$0")" ; pwd -P )" >>> >>> ffProfileShortPath=$(cat $HOME/Library/Application\ >>> Support/Firefox/profiles.ini |grep Path |awk -F= '{print $2}'|head -1) >>> >>> >>> >>> fProfileFullPath="$HOME/Library/Application >>> Support/Firefox/$ffProfileShortPath/" >>> >>> "$SCRIPTPATH/pkutil/pk12util" -i newcert.pfx -W "${cert_password}" -d >>> "$ffProfileFullPath" >>> >>> >>> >>> Todd >>> >>> >>> >>> *From: *Enterprise <[email protected]> on behalf of Ben >>> Bass <[email protected]> >>> *Date: *Wednesday, May 23, 2018 at 12:30 PM >>> *To: *enterprise <[email protected]> >>> *Subject: *[Mozilla Enterprise] Adding certificates to FF for Mac >>> >>> >>> >>> Hi everyone. >>> >>> >>> >>> We have been tasked with adding some of our internal Root CA's to allow >>> FireFox to use these certificates. >>> >>> >>> >>> We are still adding the certificates to the keychain, but cannot find a >>> way to get FF for mac to use the keychain. I started down the autoconfig >>> path but see that that method will run into issues in FF 62, and we don't >>> want to develop a short term solution unless absolutely necessary. >>> >>> >>> >>> So my question is, what is the best way to get Firefox for Mac (ESR or >>> regular release) to either use the system keychain, or a way to >>> install/configure the certificates via another method? >>> >>> >>> >>> Thank you! >>> >>> >>> >>> _______________________________________________ >>> Enterprise mailing list >>> [email protected] >>> https://mail.mozilla.org/listinfo/enterprise >>> >>> To unsubscribe from this list, please visit >>> https://mail.mozilla.org/listinfo/enterprise or send an email to >>> [email protected] with a subject of "unsubscribe" >>> >> >> >> >> -- >> >> >> _______________________________________________ >> Enterprise mailing list >> [email protected] >> https://mail.mozilla.org/listinfo/enterprise >> >> To unsubscribe from this list, please visit >> https://mail.mozilla.org/listinfo/enterprise or send an email to >> [email protected] with a subject of "unsubscribe" >> > > -- ----------------------------------------------------------- Ben Bass, Jamf; CCT, CCA, CJA, CCE SANS; GSEC <https://www.youracclaim.com/badges/f4d7c7e5-a7d1-42e4-8086-aafaed29deba> Macintosh Client Security Systems Engineer (917) 536-0998 [email protected]
_______________________________________________ Enterprise mailing list [email protected] https://mail.mozilla.org/listinfo/enterprise To unsubscribe from this list, please visit https://mail.mozilla.org/listinfo/enterprise or send an email to [email protected] with a subject of "unsubscribe"
