X
Tap here to go to the mobile version of the site.

Support Forum

Deploy certificate for all users of Firefox using Microsoft's Group Policy

Posted

Hi, I'm a network admin for a school (~900 computers and ~1600 users) and need to deploy a certificate so that any user on any computer trusts it.

We are mostly WinXPSP3 and have IE8 and FF3.6 as part of our image. We installed a new web filter/proxy that is able to filter HTTPS (most can't) which means all HTTPS traffic now goes to this server which then makes the request to the Internet ie the user's computer never connects directly to the web server. Without anything being done the user is presented with the usual Firefox warning saying the website eg Internet banking isn't trusted and asks if the user wants to continue. This is because they are connecting to the proxy not the web server. To get around this the user must trust the certificate from the proxy. The user never sees the certificate from the web server but the proxy will check the web server's certificate to ensure it is valid.

Using Group Policy we have deployed this trusted certificate to all computers and this allows IE, Safari, Opera and Chrome to work as they use the certificates with IE. But Firefox works completely differently and has it's own certificate database in %userprofile%\Applcation Data\Mozilla\Firefox\Profile\xxxxx.default\cert8.db.

We could create a base cert8.db file and copy it to the user's folder but there are 2 problems with this - 1) the xxxxx.default folder is not always the same and 2) it would overwrite the user's existing file which would erase any certificates they'd installed.

We could create a new SOE image with the certificate installed but that would mean rebuilding ~900 computers and is therefore not a valid option.

We need to find a way to deploy this certificate to all computers which would allow any user to be able to trust it. How can this be accomplished?

Hi, I'm a network admin for a school (~900 computers and ~1600 users) and need to deploy a certificate so that any user on any computer trusts it. We are mostly WinXPSP3 and have IE8 and FF3.6 as part of our image. We installed a new web filter/proxy that is able to filter HTTPS (most can't) which means all HTTPS traffic now goes to this server which then makes the request to the Internet ie the user's computer never connects directly to the web server. Without anything being done the user is presented with the usual Firefox warning saying the website eg Internet banking isn't trusted and asks if the user wants to continue. This is because they are connecting to the proxy not the web server. To get around this the user must trust the certificate from the proxy. The user never sees the certificate from the web server but the proxy will check the web server's certificate to ensure it is valid. Using Group Policy we have deployed this trusted certificate to all computers and this allows IE, Safari, Opera and Chrome to work as they use the certificates with IE. But Firefox works completely differently and has it's own certificate database in %userprofile%\Applcation Data\Mozilla\Firefox\Profile\xxxxx.default\cert8.db. We could create a base cert8.db file and copy it to the user's folder but there are 2 problems with this - 1) the xxxxx.default folder is not always the same and 2) it would overwrite the user's existing file which would erase any certificates they'd installed. We could create a new SOE image with the certificate installed but that would mean rebuilding ~900 computers and is therefore not a valid option. We need to find a way to deploy this certificate to all computers which would allow any user to be able to trust it. How can this be accomplished?

Additional System Details

Installed Plug-ins

  • LogMeIn, Inc. Remote Access Components
  • Winamp Application Detector
  • NPRuntime Script Plug-in Library for Java(TM) Deploy
  • 12.0.1.647
  • RealPlayer(tm) LiveConnect-Enabled Plug-In
  • RealJukebox Netscape Plugin
  • The QuickTime Plugin allows you to view a wide variety of multimedia content in Web pages. For more information, visit the QuickTime Web site.
  • Shockwave Flash 10.3 r181
  • iTunes Detector Plug-in
  • DivX Web Player version 2.1.1.94
  • DivX VOD Helper Plug-in
  • GEPlugin
  • Next Generation Java Plug-in 1.6.0_25 for Mozilla browsers
  • 4.0.60531.0
  • Office Live Update v1.3
  • Windows Presentation Foundation (WPF) plug-in for Mozilla browsers
  • RealPlayer(tm) HTML5VideoShim Plug-In
  • RealNetworks(tm) RealPlayer Chrome Background Extension Plug-In
  • Google Update
  • Adobe PDF Plug-In For Firefox and Netscape 10.1.0
  • Npdsplay dll
  • DRM Store Netscape Plugin
  • DRM Netscape Network Object

Application

  • User Agent: Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1

More Information

emiranda 0 solutions 1 answers

Helpful Reply

I have the same problem too. I need to deploy a certificate for 2,000 computers using Firefox and I hope I do not have to do them manually. Please need help.

I have the same problem too. I need to deploy a certificate for 2,000 computers using Firefox and I hope I do not have to do them manually. Please need help.
stokes81 0 solutions 2 answers

The link below provides a batch file and a VB script for automating the FF certificate install process which should not overwrite the existing file and should take into account the profile names. Let us know if you have good success with it!

http://www.appdeploy.com/messageboards/tm.asp?m=52532

Thanks!

The link below provides a batch file and a VB script for automating the FF certificate install process which should not overwrite the existing file and should take into account the profile names. Let us know if you have good success with it! http://www.appdeploy.com/messageboards/tm.asp?m=52532 Thanks!
stokes81 0 solutions 2 answers

How are you handling Safari on Macs, can you do a GPO to a Mac?

Also, what about BYOD initiatives with guest users bringing in iOS, Android, etc devices?

How are you handling Safari on Macs, can you do a GPO to a Mac? Also, what about BYOD initiatives with guest users bringing in iOS, Android, etc devices?
cor-el
  • Top 10 Contributor
  • Moderator
17670 solutions 159841 answers
See https://www.mozilla.org/projects/security/pki/nss/tools/certutil.html