Install a PKCS#12 Certificate into firefox from the command line

20
2014-04
  • Derek Ekins

    I am trying to use certutil to add a client certificate to the firefox db: The purpose of this certificate is to authenticate with a server - the server asks for credentials, this certificate contains the credentials.

    certutil -A -n "My Certificate" -d /myfirefoxprofile/ -t "CT,," -a -i /mycertificate.pfx 
    

    However this gives me the error:

    certutil: could not obtain certificate from file: security library: improperly formatted DER-encoded message.
    

    Am I doing something obviously wrong?

    This is on ubuntu 10.10

  • Answers
  • hbdgaf

    It looks like you need to convert PFX to PEM...directions with openssl switches here: http://support.citrix.com/article/CTX106028

    to be clear as evidently somehow i was confusing:

    convert from pfx to pem then rerun your import command with the new file(edit: and the modified options below). it looks to me like the firefox cert import is choking on the pfx filetype(edit: and the appropriate import options were not specified). the directions linked to are not for firefox import, but for certificate conversion.

    additional edit after question edit:

    the -t needs the u option to be used as a client certificate. the -u flag needs the C option...certutil flags are documented here: http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html

    you may also want to look here: http://www.phocean.net/2008/11/16/how-to-stop-firefox-from-prompting-for-the-client-certificate.html
    as the browser may prompt on using the certificate

    certutil -A -n "My Certificate" -d /myfirefoxprofile/ -t "CTu,," -u "c" -a -i /mycertificate.pem

    should do it


  • Related Question

    Installing/deleting root certificate without CertMgr / CertUtil asking the end-user for confirmation
  • Jeroen Wiert Pluimers

    When you install or delete a root CA certificate using the commandline tools CertUtil.exe or CertMgr.exe, Windows asks the user for confirmation using a MessageBox (for certificates other than root CA ones, this question is not asked), even for the root CA certificate store for the current user.

    For unattended certificate updates, that is a hassle.

    I have seen this behaviour on Windows XP, Vista and 7 (I have not checked Windows Server 2003 and 2008 yet, but I assume they ask this question as well).

    I have two questions:

    1. Why is Windows asking that question, even when you install/delete it from a command-line tool?
    2. How can I suppress this (other than observing the dialog boxes coming up and sending Windows messages to press the "Yes" button)?

    The MessageBox confirmation dialogs look like this:

    [Root Certificate Store]
    Do you want to DELETE the following certificate from the Root Store?
    ...
    [&Yes]  [&No]
    

    and this:

    [Security Warning]
    You are about to install a certificate from a certification authority (CA) claiming to represent:
    ...
    [&Yes]  [&No]
    

    --jeroen


  • Related Answers
  • harrymc

    The easiest solution is to incorporate the answer in the script like this:

    echo Y | CertUtil.exe ....
    

    This method doesn't always work for all programs, so it still needs some testing on your side.

    For message-boxes, you can use nircmd with the dlg parameter.
    In a script, you may also use the built-in command timeout /t seconds to give the message box the specified number of seconds in which to appear.

    Here is an extract of the help file:

    nircmd.exe dlg [Process Name] [Window Title] [Action] [Parameters]

    Allows you to interact with standard dialog-boxes and message-boxes of Windows. When a dialog-box is opened, you can use this command to "click" the ok/cancel/yes/no buttons, or fill the text-boxes in the dialog-box.

    The following command will choose the 'Yes' answer for any question dialog-box of Explorer process:
    dlg "explorer.exe" "" click yes

    The following command will choose the 'Cancel' answer for any question dialog-box of any process:
    dlg "" "" click cancel

    Parameters description:

    [Process Name]: Specifies the process that created the desired window. You can specify only the process name or the full path of the process. If this parameter is empty string("" ), the command will be executed on any process.

    [Window Title]: Specifies the title of the window that you want the execute the action. If this parameter is empty string("" ), the command will be executed on any window, regardless the window title.

    [Action]: You can specify one of the following options:
    click: Click the specified button. You can specify one of the following predefined values (For standard Windows dialog-boxes only !): yes, no, ok, cancel, retry, ignore, close, help. You can also specify any control ID as numeric value.
    settext: Set the text of the specified control. The first parameter of this action specifies the ID of the control, and the second parameter specifies the text.