Import self-signed certificate in Firefox on the command line?

microlinux · March 8, 2024, 12:56pm

Hi,

I’m currently fiddling with Squid as a transparent proxy server, mainly for filtering web content in our local school. I managed to get Squid up and running with SSL Bump on a routerboard running Rocky Linux 8, as described in this blog article (in french, but the Unix bits are universal):

For this to work, I need to distribute the certficat.der file distributed to all client PCs and then import it in every user’s Firefox.

I don’t know how Firefox handles and stores this certificate internally. In our local school I have all our user account centrally on a server (exported via NFS), so I wonder if there is a way to mass import this certificate file in every Firefox session using a script.

Any suggestions?

jlehtone · March 8, 2024, 1:45pm

I have some self-made certs, with CA’s public part in PEM format and add them to system’s list of known CAs:

vars:
  - site_certificate_glob: 'files/ca/*'
tasks:
  - name: Copy certificate authority to trusted ca path of the os
    copy:
      src: '{{ item }}'
      dest: '/etc/pki/ca-trust/source/anchors/'
      owner: root
      group: root
      setype: cert_t
      mode: 0644
    with_fileglob: '{{ site_certificate_glob }}'
    register: certificates

  - name: Update trusted ca redhat
    command: /usr/bin/update-ca-trust
    when: certificates.changed

(Seems to be an old play of mine. I wonder why I had no handler?)
RH docs: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/securing_networks/using-shared-system-certificates_securing-networks

While Firefox might have CAs of its own, it does use the shared system certs too.
If you want certs only for FF, then I can’t help.

james-p · March 8, 2024, 2:35pm

You can do this via Firefox Policies - see:

https://mozilla.github.io/policy-templates/

more specifically for CA certs:

https://mozilla.github.io/policy-templates/#certificates–install

i.e. involves creating a policies.json file in the required location

microlinux · March 9, 2024, 6:23am

Thanks ! That did the trick ! Last time I tried something similar it didn’t work because (as I remember) Firefox and Thunderbird didn’t use the system-wide CA’s. They had their internal set of CA’s, and you had to add a local CA manually. I’m glad this has been resolved.

Cheers,

Niki

raffraff · March 18, 2024, 9:13am

Here are some official options for Firefox only Setting Up Certificate Authorities (CAs) in Firefox | Firefox for Enterprise Help
System-wide root CAs can be imported using the trust command man trust https://www.redhat.com/sysadmin/configure-ca-trust-list

Topic		Replies	Views
CA certificate ok in curl but nok in firefox or chrome Rocky Linux Help & Support	4	2294	August 25, 2023
Updating pki certs to remove unwanted mozilla certs Rocky Linux Help & Support	3	704	August 24, 2023
SSL Cert Location Rocky Linux Help & Support	12	29383	April 3, 2024
Citrix Workspace App vs. certificates in /etc/pki/tls/certs Rocky Linux Help & Support	10	1603	August 25, 2023
RockyLinux vs Ubuntu SSL differences? Rocky Linux Help & Support rocky-linux-9	6	393	August 17, 2025

Import self-signed certificate in Firefox on the command line?

Related topics