Import self-signed certificate in Firefox on the command line?

Hi,

I’m currently fiddling with Squid as a transparent proxy server, mainly for filtering web content in our local school. I managed to get Squid up and running with SSL Bump on a routerboard running Rocky Linux 8, as described in this blog article (in french, but the Unix bits are universal):

For this to work, I need to distribute the certficat.der file distributed to all client PCs and then import it in every user’s Firefox.

I don’t know how Firefox handles and stores this certificate internally. In our local school I have all our user account centrally on a server (exported via NFS), so I wonder if there is a way to mass import this certificate file in every Firefox session using a script.

Any suggestions?

I have some self-made certs, with CA’s public part in PEM format and add them to system’s list of known CAs:

vars:
  - site_certificate_glob: 'files/ca/*'
tasks:
  - name: Copy certificate authority to trusted ca path of the os
    copy:
      src: '{{ item }}'
      dest: '/etc/pki/ca-trust/source/anchors/'
      owner: root
      group: root
      setype: cert_t
      mode: 0644
    with_fileglob: '{{ site_certificate_glob }}'
    register: certificates

  - name: Update trusted ca redhat
    command: /usr/bin/update-ca-trust
    when: certificates.changed

(Seems to be an old play of mine. I wonder why I had no handler?)
RH docs: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/securing_networks/using-shared-system-certificates_securing-networks

While Firefox might have CAs of its own, it does use the shared system certs too.
If you want certs only for FF, then I can’t help.

1 Like

You can do this via Firefox Policies - see:

https://mozilla.github.io/policy-templates/

more specifically for CA certs:

https://mozilla.github.io/policy-templates/#certificates–install

i.e. involves creating a policies.json file in the required location

1 Like

Thanks ! That did the trick ! Last time I tried something similar it didn’t work because (as I remember) Firefox and Thunderbird didn’t use the system-wide CA’s. They had their internal set of CA’s, and you had to add a local CA manually. I’m glad this has been resolved.

Cheers,

Niki

  1. Here are some official options for Firefox only Setting Up Certificate Authorities (CAs) in Firefox | Firefox for Enterprise Help
  2. System-wide root CAs can be imported using the trust command man trust https://www.redhat.com/sysadmin/configure-ca-trust-list