Installing a CA certificate on multiple Windows machines (IE/Firefox)
I look after ~50 machines running XP/Vista, all on a single Windows Server 2008 domain. We are rolling out a number of test webservers internally, which have their SSL certificates signed with a company internal CA.
To prevent users being confused by SSL warnings, I need to install the CA's certificate on each of the machines.
Any ideas how to automatically install a certificate on Windows machines for IE and Firefox?
Solution 1:
Your best bet is to deply your root certificate to the machines using group policy. This article here explains the process in good detail.
Solution 2:
FirefoxADM will help you deploy CA certs for firefox. The annoying problem with this, is that it distributes the entire certificate database. Any certificates added by the user will be overwritten.
Solution 3:
I suggest using certutil
from NSS Tools [1] that can administer the certificate databases used by softwares like Firefox and Thunderbird [2]:
certutil.exe -A -n <cert name> -t <trust> -i <cert filepath> -d <firefox/thunderbird profile dirpath)
Combined with PsTools's PsExec
or an AD/logon script. Either way it should be ran when software is not running on remote host.
NSS Tools sources can be grabbed from https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/ (some Windows binaries can be found on the Internet but given the security nature: it's better to compile it yourself)
[1]: Network Security Services: https://developer.mozilla.org/docs/NSS/tools/NSS_Tools_certutil
[2]: They are using a Netscape Communicator database with files cert8.db
and key3.db
.
Solution 4:
Sam's answer is the best bet for IE.
For Firefox, it's not as easy because there's no machine wide certificate store that it uses (sadly). Each user has their own copy of the certificate store in the Firefox profile folder called cert8.db. You will basically have to edit this file with a local copy of Firefox and add your internal certs. Then distribute it to all of your users' profiles.
Distribution can be done using FirefoxADM like Zoredache mentioned. But there are plenty of other ways to do it using login scripts or tools like SMS/ConfigMgr.
Solution 5:
To import certificate into firefox on all domain computers do the following:
- manually import the SSL cert into firefox browser on any computer
- then copy firefox cert database
cert8.db
- find it in path
C:\Users\user1\AppData\Roaming\Mozilla\Firefox\Profiles\8arq0r3k.default
- find it in path
- copy the cert db to a network shared location
- save the following to batch file (modify the share path):
script.bat
:
Set FFProfdir=%Appdata%\mozilla\firefox\profiles
cd %FFProfdir%
DIR /A:D /B > "%Temp%\FFProfile.txt"
FOR /F "tokens=*" %%i in (%Temp%\FFProfile.txt) do (
CD /d "%FFProfDir%\%%i"
rename cert8.db cert8.db.orig
copy "\\server1\cert8.db"
)
DEL /f /q "%Temp%\FFProfile.txt"
This batch replaces the cert8.db with one that contains the new certificate. Use Domain Group Policy to run this batch at startup Computer Configuration\Windows Settings\Scripts (Startup/Shutdown)