Great detailed explanation, I've even gone further, here's a doc and screenshots of what I did based on your recomendations: http://www-public.it-sudparis.eu/~procacci/wiki/bin/view/Documentations/MozillaCCK
and it works :-) , a least on windows, I need to test that on Linux and to check that it can be done to all users by placing it on FFHOME\extensions . Anyway, thanks for the explanation, I hope my doc will help others . I'll update it when I comes to work on linux too . However, I must admit that it is not an easy way to distribute a CA, I was expecting something simpler !? , I'am also in doubt about the future of CCK , It is a extremely valuable tool for entreprise deploiement , as is autoconfig: http://developer.mozilla.org/en/docs/MCD,_Mission_Control_Desktop_AKA_AutoConfig which I hope will be continued on future realeses . Thanks. Tom Mount a écrit : > Jehan, > > I was able to get our certificate installed for all users by using > Mozilla's Client Customization Kit (CCK - > http://www.mozilla.org/projects/cck/firefox/). I installed an older > version of Firefox - *MailScanner warning: numerical links are often > malicious:* 2.0.0.14 <http://2.0.0.14> I think - then installed the > kit. I make a lot of customizations to the regular installer, and the > CCK can do most of them, but the only thing I used it for was the root > certificate (there's a page in the customization wizard for that). You > don't need the actual certificate - what I did was install our > rootcert.crt file in Firefox first by opening the file from a link and > selecting all three check boxes. Then I had to export it from the > certificate manager in Tools | Options so that it exported just the > fingerprint. That's the file that the CCK needs. The extension will > work in version 3 but you'll have to edit it first. Just change the > maximum version of the install.rdf file (open the .xpi in 7-zip and > edit the .rdf directly) to 3.* and youll be fine. I've tested that > extension in 3.0.0 and 3.0.1 on both PCs and Macs, and they work as > advertised. Once the extension works to your liking, move the > extension folder from your profile (C:\Docs and > Settings\username\Application > Data\Mozilla\Firefox\profiles\something\extensions\) to C:\Program > Files\Mozilla Firefox\extensions so it'll be active for all users. If > you want to have it there as part of the installation process you can > put the entire extension folder in the nonlocalized\extensions folder > of the install package. > > Let me know if you need any other help. > > On Fri, Jul 18, 2008 at 3:58 AM, jehan procaccia > <[EMAIL PROTECTED]> wrote: > > indeed, in the thread youm mentioned below, "tmountjr" seems to > have the same needs as mine -> pushing a cert8.db containing our > own CA to users, but although he "succeeded", I'm sorry , but I > did not understand clearly how it could be done, tmountjr further > details greatly appreciated ... > > However, I'am surprise there's no easy way to tell Firefox in a > preference (pref.js ?) to look for cert8.db in a common place for > everyone logging to the station (these are shared stations for > hundreds of students ) . With the new security scheme of FF3, I > supose most institution, university etc .. need to push their own > CA in FF3, how others did ? > > Thanks for further help . > > David Stutzman a écrit : > > You may find this recent thread informative: > > http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thr > ead/5885eb5986864447 > > Dave > > > > -----Original Message----- > From: dev-tech-crypto-bounces+dstutzman=dsci.com > <http://dsci.com>@lists.mozilla.org > <http://lists.mozilla.org> > [mailto:dev-tech-crypto-bounces+dstutzman > <mailto:dev-tech-crypto-bounces%2Bdstutzman>=dsci.com > <http://dsci.com>@lists.mozil > > > la.org <http://la.org>] On Behalf Of jehan procaccia > > > Sent: Wednesday, July 16, 2008 12:10 PM > To: dev-tech-crypto@lists.mozilla.org > <mailto:dev-tech-crypto@lists.mozilla.org> > Subject: distribute our CA to users > > hello, > > I found from > http://www.mozilla.org/projects/security/pki/nss/tools/certuti > l.html how to import our CA (Internal PKI) in firefox3. > Now I want to distribute cert8.db and key3.db to all new > users and also to current users who already have a profile. > How can I do that ? > When a user first start firefox , a profile is create in > it's ~/.mozilla/firefox/y9f0c08g.default, then > cert8.db, key3.db and secmod.db are pushed there, but > where is the source of these files so that I can modify > them before they are pushed ? I did notices in linux > /etc/pki/nssdb, put after changed them , they were not > those one pushed on a new user mozilla profile :-( > How will I do for current users who already have a profile ? > > Better solution will be to set this with autoconfig > (http://developer.mozilla.org/en/docs/MCD,_Mission_Control_Des > > > ktop_AKA_AutoConfig) > > If there is a preference (pref.js) directive that set the > path to cert8.db, I would point it to a central cert8.db > on the shared stations ! > But from http://preferential.mozdev.org/preferences.html > I've only seen that preference > "security.default_personal_cert" and it doesn't seem to > be the correct one :-( . > > any help will be greatly appreciated . > Thanks. > > PS: I will also have to do that on windows ... > I wrote (In french) a doc on how i've imported our CA in > cert8.db : > http://www-public.it-sudparis.eu/~procacci/wiki/bin/view/Docum > <http://www-public.it-sudparis.eu/%7Eprocacci/wiki/bin/view/Docum> > > > entations/MozillaCertutils > > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > <mailto:dev-tech-crypto@lists.mozilla.org> > https://lists.mozilla.org/listinfo/dev-tech-crypto > > > > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > <mailto:dev-tech-crypto@lists.mozilla.org> > https://lists.mozilla.org/listinfo/dev-tech-crypto > > > > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
