Mozilla X.509 certificates from the command line

Problem: You administer office PCs and have to deploy your organization’s new CA certificate. Since you know your users, telling them individually to download and install it is not an option. You need an automatic solution for unattended installation.

Solution: Fortunately Mozilla has its Network Security Services (NSS), which are available as prebuild binaries and include the Certificate Database Tool certutil. Using certutil one can change Mozilla’s certificate database from the command line and from scripts.

The only remaining issue is that these databases are not associated with machines but with user profiles and one has to find these profiles first. Given enough time one could parse the ~/.thunderbird/profiles.ini to find all profiles, but for me catching the standard paths is sufficient. (I dare to say everyone who is able to change the path to their Mozilla profile should be experienced enough to know what certificates mean and install them on their own.)

So to get to the point: I set this up on a local domain controller for Windows PCs. The following batch script, which gets called from netlogonstart.bat, installs a new cert into every user’s Firefox and Thunderbird profiles:

rem @echo off
rem this expects NSS certutil, its required libraries and %CACERT%
rem to be in directory %SOFTWARE%nssutils
set SOFTWARE=\fileserversoftware
set CACERT=myca.crt

rem test if cert already installed (and copied into appdir)
if exist "%APPDATA%%CACERT%" goto end

rem copy nsstools with cert to the PC, install for ff and tb
xcopy /S/C/I/Q/Y "%SOFTWARE%nsstools" "%TEMP%nsstools"

if not exist "%APPDATA%MozillaFirefoxProfiles" ( echo no Firefox profile found
) else (
for /D %%X in ("%APPDATA%MozillaFirefoxProfiles*") do "%TEMP%nsstoolscertutil" -A -n "%CACERTNAME%" -t "TC,TC,TC" -i "%TEMP%nsstools%CACERT%" -d "%%~fX"

if not exist "%APPDATA%ThunderbirdProfiles" ( echo no Thunderbird profile found
) else (
for /D %%X in ("%APPDATA%ThunderbirdProfiles*") do "%TEMP%nsstoolscertutil" -A -n "%CACERTNAME%" -t "TC,TC,TC" -i "%TEMP%nsstools%CACERT%" -d "%%~fX"

rem copy cert into users appdir to show we're done and delete nsstools
copy /Y "%SOFTWARE%nsstools%CACERT%" "%APPDATA%%CACERT%"
if exist "%TEMP%nsstools" del /S/Q "%TEMP%nsstools"


If you want to copy it then you should take a look at the certutil documentation, at least at the -t option for setting trust attributes. Also beware of line breaks — I found the Windows FOR command quite picky about its syntax.

2 Responses to “Mozilla X.509 certificates from the command line”

  1. rob says:

    This worked perfectly. Thank you so much for the guidance.

  2. sebas says:

    thanks dude! very clever.

    Under Debian/Linux you can do the same. The certutil is in the package libnss3-tools. There is the command that I used.
    # certutil -A -n test -t “TC,TC,TC” -i root.crt -d /profiledir