A couple notes on this (very old) email. 1. We are adding support for using keychain certs on Mac in Firefox 63. See:
https://bugzilla.mozilla.org/show_bug.cgi?id=1300420 I'd appreciate if folks tested this when it went to beta to see if it solves things for them. 2. While we are still planning to sandbox Autoconfig by default in Firefox 62, there will be a pref to disable it. We are doing this because we don't have some features in the policy engine yet that folks need. Mike On Wed, May 23, 2018 at 5:05 PM, Ben Bass <[email protected]> wrote: > Hi Mike. > > Thank you for pointing me to certutil. Do you know of any easy way to > build the binary on a mac so it can be run on multiple machines without > installing homebrew? I haven't ever used mercurial and am just trying to > have this run once on each of the machines we manage. > > Or if there is an easier method, I am all ears. > > At the end of the day I just want to add certificates to the Macs so they > don't get untrusted cert errors. > > Thank you! > > On Wed, May 23, 2018 at 3:16 PM, Mike Kaply <[email protected]> wrote: > >> You can use certutil to just add the cert to the Firefox DB. >> >> I'm also working on adding cert import support to our policy engine. >> >> Mike >> >> On Wed, May 23, 2018 at 2:13 PM, Ben Bass <[email protected]> wrote: >> >>> Hi Todd. >>> >>> It seems that this tool is only for PFX/P12 exports of the cert - my web >>> team is not going to give me the private keys to the cert, do you know of >>> any other way of getting the web browser to trust a cert with just having >>> access to a cer file? >>> >>> Thank you! >>> >>> ----------------------------------------------------------- >>> >>> Ben Bass, >>> Jamf; CCT, CCA, CJA, CCE >>> SANS; GSEC >>> <https://www.youracclaim.com/badges/f4d7c7e5-a7d1-42e4-8086-aafaed29deba> >>> Macintosh Client Security Systems Engineer >>> (917) 536-0998 >>> [email protected] >>> >>> >>> >>> On Wed, May 23, 2018 at 12:36 PM, Houle, Todd - 1120 - MITLL < >>> [email protected]> wrote: >>> >>>> I use pk12util to add certs to firefox cert database. pk12util is part >>>> of Mozilla’s NSS tools (https://developer.mozilla.org >>>> /en-US/docs/Mozilla/Projects/NSS/tools). You could use homebrew to get >>>> them, but I prefer to compile myself. >>>> >>>> >>>> >>>> SCRIPTPATH="$( cd "$(dirname "$0")" ; pwd -P )" >>>> >>>> ffProfileShortPath=$(cat $HOME/Library/Application\ >>>> Support/Firefox/profiles.ini |grep Path |awk -F= '{print $2}'|head -1) >>>> >>>> >>>> >>>> fProfileFullPath="$HOME/Library/Application >>>> Support/Firefox/$ffProfileShortPath/" >>>> >>>> "$SCRIPTPATH/pkutil/pk12util" -i newcert.pfx -W "${cert_password}" -d >>>> "$ffProfileFullPath" >>>> >>>> >>>> >>>> Todd >>>> >>>> >>>> >>>> *From: *Enterprise <[email protected]> on behalf of Ben >>>> Bass <[email protected]> >>>> *Date: *Wednesday, May 23, 2018 at 12:30 PM >>>> *To: *enterprise <[email protected]> >>>> *Subject: *[Mozilla Enterprise] Adding certificates to FF for Mac >>>> >>>> >>>> >>>> Hi everyone. >>>> >>>> >>>> >>>> We have been tasked with adding some of our internal Root CA's to allow >>>> FireFox to use these certificates. >>>> >>>> >>>> >>>> We are still adding the certificates to the keychain, but cannot find a >>>> way to get FF for mac to use the keychain. I started down the autoconfig >>>> path but see that that method will run into issues in FF 62, and we don't >>>> want to develop a short term solution unless absolutely necessary. >>>> >>>> >>>> >>>> So my question is, what is the best way to get Firefox for Mac (ESR or >>>> regular release) to either use the system keychain, or a way to >>>> install/configure the certificates via another method? >>>> >>>> >>>> >>>> Thank you! >>>> >>>> >>>> >>>> _______________________________________________ >>>> Enterprise mailing list >>>> [email protected] >>>> https://mail.mozilla.org/listinfo/enterprise >>>> >>>> To unsubscribe from this list, please visit >>>> https://mail.mozilla.org/listinfo/enterprise or send an email to >>>> [email protected] with a subject of "unsubscribe" >>>> >>> >>> >>> >>> -- >>> >>> >>> _______________________________________________ >>> Enterprise mailing list >>> [email protected] >>> https://mail.mozilla.org/listinfo/enterprise >>> >>> To unsubscribe from this list, please visit >>> https://mail.mozilla.org/listinfo/enterprise or send an email to >>> [email protected] with a subject of "unsubscribe" >>> >> >> > > > -- > ----------------------------------------------------------- > > Ben Bass, > Jamf; CCT, CCA, CJA, CCE > SANS; GSEC > <https://www.youracclaim.com/badges/f4d7c7e5-a7d1-42e4-8086-aafaed29deba> > Macintosh Client Security Systems Engineer > (917) 536-0998 > [email protected] > > _______________________________________________ > Enterprise mailing list > [email protected] > https://mail.mozilla.org/listinfo/enterprise > > To unsubscribe from this list, please visit https://mail.mozilla.org/ > listinfo/enterprise or send an email to [email protected] > with a subject of "unsubscribe" >
_______________________________________________ Enterprise mailing list [email protected] https://mail.mozilla.org/listinfo/enterprise To unsubscribe from this list, please visit https://mail.mozilla.org/listinfo/enterprise or send an email to [email protected] with a subject of "unsubscribe"
