Search code examples
firefoxcertificateca

Firefox not recgonising CA cert added with certuil

I'm trying to programmatically accept a CA certificate on a newly installed ubuntu 18.04.

The user does not have a ~/.mozilla folder when I run this script.

sudo apt install libnss3-tools

rm -rf /home/${USER}/.mozilla/

installId="4F96D1932A9F858E" # hash of firefox install location
defaultProfileId=$(openssl rand -hex 4)
releaseProfileId=$(openssl rand -hex 4)

certificateFile="/home/${USER}/hcp-ca-cert.pem"
certificateName="HCP CA Cert"

#########

certDir="/home/${USER}/.mozilla/firefox/${defaultProfileId}.default"
mkdir -p $certDir
certutil -A -n "${certificateName}" -t "TCu,Cu,Tu" -i "${certificateFile}" -d "${certDir}"

certDir="/home/${USER}/.mozilla/firefox/${releaseProfileId}.default-release"
mkdir -p $certDir
certutil -A -n "${certificateName}" -t "TCu,Cu,Tu" -i "${certificateFile}" -d "${certDir}"

#########

cat << EOF >> /home/${USER}/.mozilla/firefox/profiles.ini
[Install${installId}]
Default=${defaultProfileId}.default
Locked=1

[Profile1]
Name=default
IsRelative=1
Path=${defaultProfileId}.default
Default=1

[Profile0]
Name=default-release
IsRelative=1
Path=${releaseProfileId}.default

[General]
StartWithLastProfile=1
Version=2
EOF

#########

cat << EOF >> /home/${USER}/.mozilla/firefox/installs.ini
[${installId}]
Default=${releaseProfileId}.default-release
Locked=1
EOF

This creates the profiles, e.g.

ubuntu@ip-10-1-0-121:~$ certutil -L -d .mozilla/firefox/d8cfb77c.default/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

HCP CA Cert                                                  CT,C,c

and 

ubuntu@ip-10-1-0-121:~$ certutil -L -d .mozilla/firefox/d8cfb77c.default/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

HCP CA Cert                                                  CT,C,c

However, if I attempt to browse a site using the CA, I get the error invalid certificate:

Error code: SEC_ERROR_UNKNOWN_ISSUER

If I manually import the CA certificate into firefox's trusted authorities, the site loads fine without validation errors.

Update:

Looking at the file access times, it seems that when I open firefox, it is creating a new file 'cert9.db':

ubuntu@ip-10-1-0-121:~$ ll .mozilla/firefox/bf0a1f94.default-release/*.db
-rw------- 1 ubuntu ubuntu 65536 Apr  1 09:12 .mozilla/firefox/bf0a1f94.default-release/cert8.db
-rw------- 1 ubuntu ubuntu 16384 Apr  1 09:12 .mozilla/firefox/bf0a1f94.default-release/key3.db
-rw------- 1 ubuntu ubuntu 16384 Apr  1 09:12 .mozilla/firefox/bf0a1f94.default-release/secmod.db

and

ubuntu@ip-10-1-0-121:~$ ll .mozilla/firefox/d8cfb77c.default/*.db
-rw------- 1 ubuntu ubuntu  65536 Apr  1 09:12 .mozilla/firefox/d8cfb77c.default/cert8.db
-rw------- 1 ubuntu ubuntu 229376 Apr  1 09:33 .mozilla/firefox/d8cfb77c.default/cert9.db
-rw------- 1 ubuntu ubuntu  16384 Apr  1 09:12 .mozilla/firefox/d8cfb77c.default/key3.db
-rw------- 1 ubuntu ubuntu 294912 Apr  1 09:33 .mozilla/firefox/d8cfb77c.default/key4.db

The file size of cert9 suggests that this includes a bunch of CAs.

Solution

  • The solution was to prefix the certDir with sql:

    certutil -A -n "${certificateName}" -t "TCu,Cu,Tu" -i "${certificateFile}" -d "sql:${certDir}"