If you have deployed Firefox in your organization and use your local CA to sign SSL certificates for intranet site, you may find that you get an error from Firefox saying that the connection is untrusted. Internet Explorer has no trouble trusting the local CA because it trusts the local Windows certificate store. Firefox does not and instead uses it's own certificate store. These instructions will enable you to add your local certificate authority as a trusted CA in Firefox for Windows for all of the users in your domain. Firefox stores its trusted certificate information in a file called cert8.db located in each Firefox profile directory in the user folder on that computer. One approach would be to trust the CA on one machine and then copy the cert8.db file to all the computers on the domain. Unfortunately, this will also remove any other trusted certificates on the other computers. This method instead adds the local certificate authority to the list of trusted authorities for each user's cert8.db files. Step 1 - Download certutil for Firefox Certutil is part of the NSS Security Tools from Mozilla that will allow the new certificate to be imported into the cert8.db file. This is not the same certutil tool that is included with Windows. The source for the NSS Security Tools can be downloaded from Mozilla at the link given below and compiled by following the instructions in Step 6 below. I have also attached the certutil tool and dll files that were made by following those steps. The zip file is split to meet the size requirement for the Spiceworks Knowledge Base, and the second part is attached to Step 2. Copy certutil.exe and all of the .dll files to a network-accessible folder. FirefoxTools.zip Step 2 - Make sure Microsoft Visual C++ 2010 Runtime Libraries are installed on the client machines Microsoft Visual C++ 2010 runtime libraries are required on the client machines to run the certutil tool. If these are missing, the certutil tool may fail on the client machine. If you compiled the NSS Security Toools yourself, you need to install the same version on the client machines that you used to compile the tools. Only the x86 version of the tools is required. I prefer to use group policy to install the runtime libraries, but you can use any method that you prefer. Download the redistributable package from the link below. Extract the files from the package by running vcredist_x86.exe /x and choose a target directory for the extracted files. Create a policy to install the package from vc_red.msi that was just extracted. FirefoxTools.z01 Step 3 -Get the certificate from your local CA In a web browser, browse to the local certificate authority's Active Directory Certificate Services site (e.g. https://server.domain.local/certsrv). If you get the warning that the certificate is untrusted, add an exception for that certificate. Click "Download a CA certificate, certificate chain, or CRL". It doesn't matter if you choose DER or Base 64 encoding. Click "Download CA certificate" and save the .cer file in the same folder as the certutil files. Step 4 -Create a login script to import the CA certificate The next step is to create a script to import the CA certificate into the Firefox certificate store. A sample VBscript is attached. It only imports a single certificate, and it will need to be modified if you need to import certificates for more than one local certificate authority. The script includes a function to check the registry to determine if Firefox is installed, and only attempts the certificate import if it determines that Firefox is present. This script can be used as a user login script or set to run as a scheduled task. Edit the script to suit your environment: - Enter the correct network path to the folder containing certutil.exe and the CA certificate. - Enter the correct name for local certificate authority and the file name for the CA certificate that was saved in Step 2. - Enter the correct trust attributes for your environment. Refer to the link for Using the Certificate Database Tool for how to specify the trust attributes (search the page for "trustargs"). ImportCAtoFirefox.vbs Step 5 - Check that the script worked correctly Open Firefox and go to Options, Advanced, choose the Encryption Tab, and then click the button for View Certificates. Click the Authorities tab. Scroll down to find your local certificate authority. Select your local certificate authority and click Edit Trust... Verify that the correct trust settings have been applied, and modify the script if necessary. Step 6 -Compile the NSS tools (optional) Follow these directions to compile the latest version of the NSS tools yourself. These directions are from the 3rd post down in https://support.mozilla.org/en-US/questions/687296. 1. Download and install Visual Studio 2010 Express (link below) 2. Download and install Mozilla Build files to C:\mozilla-build (the default location) from the link below. 3. Download the NSS tools and the nspr libraries (I used NSS 3.13.6 & NSPR 4.9.2 ) from the link below. 4. Unzip NSS & NSPR using winzip, winrar or 7zip. This gzip file contains 1 tar file. Unzip this tar file to C:\Temp (you may need to create this folder). You will then end up with a folder path of in C:\Temp\nss-3.13.6\mozilla 5. Run C:\mozilla-build\start-msvc10.bat. You will get a prompt that looks like a dos command prompt but is in fact a cygwin (unix shell) with a prompt that says yourusername@yourcomputer'sname ~ Important note - unix & Linux commands & paths are case sensitive so if your folder name is c:\temp and you type c:\Temp the path won't be found. When typing paths just type the first couple of letters and press TAB key this will autocomplete the folder name, Type a / then the first couple of letters to the next folder and TAB etc etc 6. Type export OS_TARGET="WINNT" (this sets environment variables up - these are also case sensitive) 7. Type export BUILD_OPT="1" 8. Type export HOME="/c/Temp" 9. Type cd c: The ~ prompt will change to /c 10. Type cd Temp/nss-3.13.6/mozilla/security/nss The prompt will change to /c/Temp/nss-3.13.6/mozilla/security/nss 11. Type make nss_build_all This will start the compilation process. 12. The process takes 3-6 mins to complete depending on your pc. When the compilation has completed you'll receive a non-descript message "Leaving directory /c/Temp/nss-3.13.6/mozilla/security/nss/cmd". (there is no success message but you will receive error messages if it fails). Your files will be located in C:\Temp\nss-3.13.6\mozilla\dist\WINNT6.1_OPT.OBJ\bin 13. Copy all of the .dll files from C:\Temp\nss-3.13.6\mozilla\dist\WINNT6.1_OPT.OBJ\lib to C:\Temp\nss-3.13.6\mozilla\dist\WINNT6.1_OPT.OBJ\bin. Delete all of the .exe files in C:\Temp\nss-3.13.6\mozilla\dist\WINNT6.1_OPT.OBJ\bin except for certutil.exe. Copy the contents of C:\Temp\nss-3.13.6\mozilla\dist\WINNT6.1_OPT.OBJ\bin to a network-accessible folder. Conclusion After following these steps, Firefox will trust websites with certificates issued by the local certificate authority without requiring any user intervention. The attached script and certutil tool have been tested to work with Firefox 10.0.9 ESR and Firefox 16.0.1 on Windows XP SP3, Windows 7 SP1, Windows Server 2003 SP2, and Windows Server 2008R2.