Install certitifcates

[YanickNoblanc]

Hi all,

I cannot manage to get 'Install -> Certificates' to work properly.
I am working under Ubuntu 20.04, with Firefox 103.0

I am trying to install a PKCS12 certificate using /didtribution/policies.json with following lines

  "policies": {
    "Certificates": {
      "Install": ["/etc/firefox/mesta-client.p12"]
    },

Whatever I do, after starting Firefox, this certificate does not appear in Firefox certificates lists.
Note that in parallel, I have 'ManagedBookmarks' set in my policies.json : which are properly displayed in Firefox Bookmarks toolbar.
Also note that installing this same PKCS12 certificate by manualy going to Firefox settings works properly but only for current user.

Is the format of the certificate important (PKCS12,PEM,...) ?
Does anything need to be done with the certificate before adding it's path to policies.json file ?
Is this declaration with an absolute path valid, and are there any requirements on file access rights ?

Thanks for your help.

[mkaply]

Are there any errors in about:policies?

[YanickNoblanc]

Hi mkaply, thanks for the quick reaction.
Indeed there are errors

Errors
Policy Errors
Unable to add certificate - /etc/firefox/mesta-client.p12

[mkaply]

Can you go to the javsacript console and see if there is a more detailed error?

[YanickNoblanc]

Here is a copy of logs

Policies.jsm: Unable to add certificate - /etc/firefox/mesta-client.p12 
Exception { name: "NS_ERROR_ILLEGAL_VALUE", message: "Component returned failure code: 0x80070057 (NS_ERROR_ILLEGAL_VALUE) [nsIX509CertDB.constructX509FromBase64]", result: 2147942487, filename: "resource:///modules/policies/Policies.jsm", lineNumber: 457, columnNumber: 0, data: null, stack: "onBeforeAddons/reader.onloadend@resource:///modules/policies/Policies.jsm:457:39\n", location: XPCWrappedNative_NoHelper }

[mkaply]

We can't really import PKCS12 bundles because they could involve UI.

You need to convert it to an X509 certificate.

[YanickNoblanc]

Thanks a lot.

I tried converting my key with following openssl command
openssl pkcs12 -in mesta-client.p12 -out mesta-client.crt -nodes

But when trying to manually import this file in Firefox certificates, I systematically get following error message

This personal certificate can’t be installed because you do not own the corresponding private key which was created when the certificate was requested.

[mkaply]

From the developer:

"It looks like they're trying to import a client authentication certificate and associated private key, which that api can't do. In fact, as far as I know, there's no policy that can do that. They can either use something like p11-kit to provide the certificate and key or use NSS' certutil to directly add them to their profile's cert/key dbs"

[YanickNoblanc]

Thank you very much for your help mkaply. I decided to manage only Bookmarks via policies, and handle certificates another way : using pk12util to import, or fully copy a profile cert/key databases.