subject:"Default Certs for Mozilla"

Re: Default Certs for Mozilla

2006-09-18 Thread David Stutzman


[EMAIL PROTECTED] wrote:

My

question is how can I make an assigned set of CA certs be available
for any user that logs into the client.  If I export these from IE,
then import them into Mozilla.  I want them added so that the first time a user 
logs into the system, they are present. This is a classified system, so the 
certs are classified  Thanks, Mac




Actually, the root certs are stored in a file called libnssckbi.so or 
libnssckbi.dll depending on linux or windows (I can't speak to other 
platforms).  I have successfully built my own libnssckbi on Linux.  You 
cannot actually delete the certs from that file as it is read-only.  If 
you do try you will notice they all come back when you restart Mozilla. 
 They will, however, no longer be trusted.  There's been some 
discussion on here about this behavior and ultimately it's better for 
the end user.  I believe the changes you made in the trust status will 
get stored in the profile's cert8.db.


I created the following "script" for regenerating the libnssckbi each 
time I want to add/remove certs.  I couldn't figure out how to in-line 
the perl so I created a separate file called chop-dn.pl which contains 
that part.  You can see the attempt at calling "perl -e" on one of the 
commented out lines.  I am by no means a master scripter, but it does 
the job for me.   I run the script on a Fedora Core 4 box inside a 
directory containing all of the base64 (PEM) encoded certs I want in the 
libnssckbi and it does everything else for me.


Something I am doing that you probably won't want to is I am adding 
non-root certs to the module (from the line "mv certdata.txt user" to 
"cd ../".  The script will set SSL and EMAIL trust bits on any ca that 
has "root" in the CN.  If you also want code signing trust you will have 
to modify that line. You can easily remove the if block and just call 
the same addbuiltins command on all the certs you have.  I also add 
intermediate CAs but I do not set the trust bit on them.  I found out 
that the addbuiltins command doesn't pay attention to all the trust 
flags that it is supposed to so a stock NSS 3.11.2 addbuiltins command 
will not correctly add any certs with the "c" trust flag.  This bug 
outlines that: https://bugzilla.mozilla.org/show_bug.cgi?id=348882.


Oh...and credit to this CACert blog entry which got me started (but 
isn't completely up to date): http://wiki.cacert.org/wiki/NSSLib


Dave

main script:
#!/bin/bash

#
# Name of certdata file (this shouldn't really change)
#
CERTDATA="certdata.txt"


#
# Some directories we'll use later
#
#NSS_BASE=/usr/local/src/nss-3.10
NSS_BASE=/mnt/public/NSS/nss-3.11.2
NSS_BUILD_DIR=$NSS_BASE/mozilla/security/nss
BUILTINS=$NSS_BUILD_DIR/lib/ckfw/builtins


#
# Cleanup DER encoded cert files from previous run
#
for CERT in $( ls *.der ); do
rm -f $CERT
done

#
# Backup the last few libnssckbi's we built...
#
mv --force libnssckbi.so-2 libnssckbi.so-3
mv --force libnssckbi.so-1 libnssckbi.so-2
mv --force libnssckbi.so libnssckbi.so-1


#
# Prepare a new certdata.txt template
#
echo ""
echo "Preparing new certdata file"
echo 'CVS_ID "@(#) $RCSfile: certdata.txt,v $ $Revision: 1.37 $ $Date: 
2005/04/18 16:08:07 $"' > $CERTDATA

echo "#" >> $CERTDATA
echo "# The object to tell NSS that this is a root list and we don't" >> 
$CERTDATA

echo "# have to go looking for others." >> $CERTDATA
echo "#" >> $CERTDATA
echo "BEGINDATA" >> $CERTDATA
echo "CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_BUILTIN_ROOT_LIST" >> $CERTDATA
echo "CKA_TOKEN CK_BBOOL CK_TRUE" >> $CERTDATA
echo "CKA_PRIVATE CK_BBOOL CK_FALSE" >> $CERTDATA
echo "CKA_MODIFIABLE CK_BBOOL CK_FALSE" >> $CERTDATA
echo 'CKA_LABEL UTF8 "Mozilla Builtin Roots"' >> $CERTDATA
echo "" >> $CERTDATA


#
# Convert certificates to DER and add to certdata file
#
echo ""
echo "Converting certificates to DER and adding to certdata file"
for CERT in $( ls *.crt | cut -d. -f1 ); do

#convert PEM cert to DER encoding
openssl x509 -in $CERT.crt -out $CERT.der -outform DER

#pretty-print cert, grep out the subject line, pass that line 
to perl
#+ script which tokenizes the line and gives me back just the 
CN=foo part

#+ then use cut to remove the CN=...this is the nickname we'll use
NICKNAME=`openssl x509 -in $CERT.der -inform DER -text | grep 
-i subject: | perl chop-dn.pl | cut -d= -f2`
#   NICKNAME=`openssl x509 -in $CERT.der -inform DER -text | grep -i 
subject: | perl -e '@tokens = split(', ',); print 
$tokens[$#tokens];' | cut -d= -f2`

echo $NICKNAME
#append the cert to the certdata.txt file which will end up being
#+ the built-in roots module
echo $NICKNAME | grep -Eiq "root"
if [ "$?" -eq 0 ]
then
addbuiltin -n "${NICKNAME}" -t "CT,C,c" < $CERT.der >> 
certdata.txt

else
addbuiltin -n "${NICKNAME}" -t "c,c,c" < $CERT.der >> 
certdata.txt

fi

done

mv certdata.txt user
cd user
echo ""
ec

Re: Default Certs for Mozilla

2006-09-14 Thread Arshad Noor

If you're using the current version of Firexox/Mozilla, the file will
be cert8.db and not cert7.db; you'll find it in the C:\Documents and 
Settings\[UserName]\Application Data\Mozilla\Firefox\Profiles\[random 
string]\  directory.  If you're using Windows Explorer to find it,

make sure you've checked your options to show hidden files and system
folders.

You're welcome.

Arshad Noor
StrongAuth, Inc.

Ronald Mckenzie wrote:
good start. where Is the locations for the default Mozilla certs on 
windows. I searched for cert7 and found nothing.  Is it written into the 
jar files?? thanks, ron

On 9/14/06, * Arshad Noor* <[EMAIL PROTECTED] 
> wrote:

If you keep the individual CA certs as PEM files in a distinct
location, as part of the login process, you can use a script to
check for the presence of these CA certs in the cert-store and
then add them as appropriate.

Using two files, I remove third-party CA's from internal server
applications using client-auth:

File cacerts has a list of all CA names
---

ABAecom (sub., Am. Bankers Assn.) Root CA
Access America by DST
...
Verisign Class 4 Public Primary Certification Authority - G2
Verisign Class 4 Public Primary Certification Authority - G3
Verisign/RSA Commercial CA
Verisign/RSA Secure Server CA

File rmcerts removes them (written for Linux/UNIX)
--

#!/bin/ksh
#
# First parameter is the directory where cert7.db file exists
# Second parameter is the file that has list of certs to remove

if [ $# -ne 2 ]; then
 echo "Usage: $0  "
 exit 1
fi

exec 3< $2
while read -u3
do
 certutil -D -d $1 -n "$REPLY"
 print -r "Deleted $REPLY"
done
certutil -L -d $1

Hope this helps.

Arshad Noor
StrongAuth, Inc.

[EMAIL PROTECTED]  wrote:
 > My
 >
 >>question is how can I make an assigned set of CA certs be available
 >>for any user that logs into the client.  If I export these from IE,
 >>then import them into Mozilla.  I want them added so that the
first time a user logs into the system, they are present. This is a
classified system, so the certs are classified  Thanks, Mac
 >
 >
 > ___
 > dev-tech-crypto mailing list
 > dev-tech-crypto@lists.mozilla.org

 > https://lists.mozilla.org/listinfo/dev-tech-crypto

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Default Certs for Mozilla

2006-09-14 Thread Arshad Noor


If you keep the individual CA certs as PEM files in a distinct
location, as part of the login process, you can use a script to
check for the presence of these CA certs in the cert-store and
then add them as appropriate.

Using two files, I remove third-party CA's from internal server
applications using client-auth:

File cacerts has a list of all CA names
---

ABAecom (sub., Am. Bankers Assn.) Root CA
Access America by DST
...
Verisign Class 4 Public Primary Certification Authority - G2
Verisign Class 4 Public Primary Certification Authority - G3
Verisign/RSA Commercial CA
Verisign/RSA Secure Server CA


File rmcerts removes them (written for Linux/UNIX)
--

#!/bin/ksh
#
# First parameter is the directory where cert7.db file exists
# Second parameter is the file that has list of certs to remove

if [ $# -ne 2 ]; then
echo "Usage: $0  to remove>"

exit 1
fi

exec 3< $2
while read -u3
do
certutil -D -d $1 -n "$REPLY"
print -r "Deleted $REPLY"
done
certutil -L -d $1


Hope this helps.

Arshad Noor
StrongAuth, Inc.


[EMAIL PROTECTED] wrote:

My


question is how can I make an assigned set of CA certs be available
for any user that logs into the client.  If I export these from IE,
then import them into Mozilla.  I want them added so that the first time a user 
logs into the system, they are present. This is a classified system, so the 
certs are classified  Thanks, Mac



___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Default Certs for Mozilla

2006-09-14 Thread ronmac1978

My
> question is how can I make an assigned set of CA certs be available
> for any user that logs into the client.  If I export these from IE,
> then import them into Mozilla.  I want them added so that the first time a 
> user logs into the system, they are present. This is a classified system, so 
> the certs are classified  Thanks, Mac

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Default Certs for Mozilla

Re: Default Certs for Mozilla

Re: Default Certs for Mozilla

Default Certs for Mozilla

4 matches

Site Navigation

Mail list logo

Footer information