Import self-signed certificate in Firefox on the command line?

microlinux · March 8, 2024, 12:56pm

Hi,

I’m currently fiddling with Squid as a transparent proxy server, mainly for filtering web content in our local school. I managed to get Squid up and running with SSL Bump on a routerboard running Rocky Linux 8, as described in this blog article (in french, but the Unix bits are universal):

For this to work, I need to distribute the certficat.der file distributed to all client PCs and then import it in every user’s Firefox.

I don’t know how Firefox handles and stores this certificate internally. In our local school I have all our user account centrally on a server (exported via NFS), so I wonder if there is a way to mass import this certificate file in every Firefox session using a script.

Any suggestions?

jlehtone · March 8, 2024, 1:45pm

I have some self-made certs, with CA’s public part in PEM format and add them to system’s list of known CAs:

vars:
  - site_certificate_glob: 'files/ca/*'
tasks:
  - name: Copy certificate authority to trusted ca path of the os
    copy:
      src: '{{ item }}'
      dest: '/etc/pki/ca-trust/source/anchors/'
      owner: root
      group: root
      setype: cert_t
      mode: 0644
    with_fileglob: '{{ site_certificate_glob }}'
    register: certificates

  - name: Update trusted ca redhat
    command: /usr/bin/update-ca-trust
    when: certificates.changed

(Seems to be an old play of mine. I wonder why I had no handler?)
RH docs: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/securing_networks/using-shared-system-certificates_securing-networks

While Firefox might have CAs of its own, it does use the shared system certs too.
If you want certs only for FF, then I can’t help.

james-p · March 8, 2024, 2:35pm

You can do this via Firefox Policies - see:

https://mozilla.github.io/policy-templates/

more specifically for CA certs:

https://mozilla.github.io/policy-templates/#certificates–install

i.e. involves creating a policies.json file in the required location

microlinux · March 9, 2024, 6:23am

Thanks ! That did the trick ! Last time I tried something similar it didn’t work because (as I remember) Firefox and Thunderbird didn’t use the system-wide CA’s. They had their internal set of CA’s, and you had to add a local CA manually. I’m glad this has been resolved.

Cheers,

Niki

raffraff · March 18, 2024, 9:13am

Here are some official options for Firefox only Setting Up Certificate Authorities (CAs) in Firefox | Firefox for Enterprise Help
System-wide root CAs can be imported using the trust command man trust https://www.redhat.com/sysadmin/configure-ca-trust-list

system · May 17, 2024, 9:14am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
CA certificate ok in curl but nok in firefox or chrome Rocky Linux Help & Support	4	2111	August 25, 2023
Generate a certificate for Squid using Ansible Rocky Linux Help & Support	5	61	April 17, 2025
Updating pki certs to remove unwanted mozilla certs Rocky Linux Help & Support	3	568	August 24, 2023
Certbot --apache SSL Cert no longer trusted Rocky Linux Help & Support	1	484	August 25, 2023
RockyLinux vs Ubuntu SSL differences? Rocky Linux Help & Support rocky-linux-9	4	165	May 2, 2025

Import self-signed certificate in Firefox on the command line?

Related topics