Home > Uncategorized > Leverage Group Policy to manage certificates in user’s Firefox certificate store

Leverage Group Policy to manage certificates in user’s Firefox certificate store

This has been tested on XP and Windows 7, 32 and 64 bit clients.

I have not tested this with Thunderbird or SeaMonkey, but I suspect everything to be relatively the same… you will likely need to edit the path of the profile in the BAT script.

 

Download the Mozilla Certificate tools:
1) Build NSS tools or download the x86 binaries from this helpful dude.

Push the files to target workstations:
1) Copy all of the DLLs and certutil.exe to a location that is executable by the user objects you will be targeting (like Authenticated Users) (for this example the path will be \\fileserver\scripts$\comp_resources\nss\):

If you’d like to avoid having to worry about installing the C++ 2010 runtime libraries to your clients, include the following DLLs from c:\windows\system32\ and/or c:\windows\syswow64\ where the c++ runtimes are installed:

  • atl100.dll
  • mfc100.dll
  • mfcm100.dll
  • msvcp100.dll
  • msvcr100.dll
  • vcomp100.dll

3) Copy the CA certificate you wish to distribute in to the directory so that it is accessible via \\fileserver\scripts$\comp_resources\nss\publicca.cer

4) Open gpmc.msc and create and edit a GPO on the test OU you are targetting.

5) Navigate to User Configuration\Policies\Preferences\Windows Settings\Folders

6) right-click> New> Folder

7) Create entries for a folder c:\windows\system32\nss\ on Windows 32-bit systems:
On the General tab:

Action: Update
Path: c:\windows\system32\nss

On the Common tab:

Item-level targeting: checked
Click targeting
New Item> File Match
Match type: Folder exists
Path: %appdata%\mozilla\firefox\profiles
New Item> File Match
Match type: Folder exists
Path: C:\Windows\SysWOW64
Item Options: Is Not

8) Create entries for a folder c:\windows\syswow64\nss on Windows 64-bit systems:

Action: Update
Path: c:\windows\syswow64\nss

On the Common tab:

Item-level targeting: checked
Click targeting
New Item> File Match
Match type: Folder exists
Path: %appdata%\mozilla\firefox\profiles
New Item> File Match
Match type: Folder exists
Path: c:\windows\syswow64

8) OK your way back to the Group Policy Management Editor.

9) Navigate to User Configuration\Policies\Preferences\Windows Settings\Files

10) Create entries for all the files located in the directory \\fileserver\scripts$\comp_resources\nss\ in c:\windows\system32\nss\ on Windows 32-bit systems:
On the General tab:

Action: Update
Source file(s): \\fileserver\scripts$\comp_resources\nss\*
Destination folder: c:\windows\system32\nss

On the Common tab:

Item-level targeting: checked
Click targeting
New Item> File Match
Match type: Folder exists
Path: %appdata%\mozilla\firefox\profiles
New Item> File Match
Match type: Folder exists
Path: C:\Windows\SysWOW64
Item Options: Is Not

11) Create entries for all the files located in the directory \\fileserver\scripts$\comp_resources\nss\ in c:\windows\system32\nss\ on Windows 32-bit systems:
On the General tab:

Action: Update
Source file(s): \\fileserver\scripts$\comp_resources\nss\*
Destination folder: c:\windows\syswow64\nss

On the Common tab:

Item-level targeting: checked
Click targeting
New Item> File Match
Match type: Folder exists
Path: %appdata%\mozilla\firefox\profiles
New Item> File Match
Match type: Folder exists
Path: c:\windows\syswow64

Set a script to run on the target clients:
1) Navigate to User Configuration\Policies\Windows Settings\Scripts\

2) Double-click on Logon.

3) Click Show files.

4) Right-click and create a new BAT file named firefox_ca_add.bat that contains the following:

if not exist "%appdata%\mozilla\firefox\profiles" goto:eof
set profiledir=%appdata%\mozilla\firefox\profiles
dir "%profiledir%" /a:d /b > "%temp%\temppath.txt"
if not exist "c:\windows\syswow64\nss" goto WIN32
for /f "tokens=*" %%i in (%temp%\temppath.txt) do (
cd /d "%profiledir%\%%i"
copy cert8.db cert8.db.orig /y
"c:\windows\syswow64\nss\certutil.exe" -A -n "Our Organization's Root CA" -i "c:\windows\system32\nss\publicca.cer" -t "TCu,TCu,TCu" -d .
)
goto FINALLY
:WIN32
if not exist "c:\windows\system32\nss" goto FINALLY
for /f "tokens=*" %%i in (%temp%\temppath.txt) do (
cd /d "%profiledir%\%%i"
copy cert8.db cert8.db.orig /y
"c:\windows\system32\nss\certutil.exe" -A -n "Our Organization's Root CA" -i "c:\windows\system32\nss\publicca.cer" -t "TCu,TCu,TCu" -d .
)
goto FINALLY
:FINALLY
del /f /q "%temp%\temppath.txt"

5) Back in the Logon Properties window, click Add, then Browse to the firefox_ca_add.bat file, double-click.

6) Double-click on Logoff, and perform relatively the same, except navigating in the directory tree to the script you created within the ./Startup/ directory.

7) Perform a `gpupdate /force` on the test client, and restart the machine (okay fine, you can also just run the BAT file).

8) Open firefox and navigate to Tools> Options> Advanced> Encryption tab> Certificates pane> View Certificates button and scroll down until you find “Our Organization’s Root CA”

Removing an issued certificate:
It’s a very similar line, and you should really do this by leveraging `wmic`, `psexec`, `winrm` or some other method, as removal of your certificate should probably happen immediately versus waiting until a user to log out or log on.

cd /d "%profiledir%\%%i"
"c:\windows\syswow64\nss\certutil.exe" -D -n "Our Organization's Root CA" -d .

References:

Advertisements
  1. Kerry-Ann
    April 15, 2015 at 2:58 pm

    Thank you! Thank you thank you! Your instructions were amazing and helpful! I completed this with 100% success!

  2. Andre Ferreira
    October 14, 2015 at 12:40 am

    thanks man… u save my job!!! :-)
    100% helpful… u r the best…

  3. Alexandra
    November 9, 2015 at 11:35 am

    Very Helpful, but i have a problem..
    It won’t copy the NSS Files to the syswow64/nss directory and i always get the message “error 0x80070005 Acxess denied” in the event log.
    Do you have any idea why?

    • November 9, 2015 at 12:40 pm

      The user/object performing the copies to that directory need to have write access to that directory. Do they?

      Here’s an additional question:
      is your policy User or Computer? If user, operations run as %logondomain%\%logonuser%. If Computer, I believe it’s running as NT AUTHORITY\SYSTEM. My advice is to apply it within the Computer policy, not the user policy.

      Note that in the last link the person describes to grant access using the “Authenticated Users” object. The reason for this is because when NT AUTHORITY\SYSTEM operates on the network (to access a share for instance), it ends up using the computer object, noted as %logondomain%\%computername% (in AD for instance)… and you know the deal, %logondomain%\%computername% (and any other computer object that’s part of a domain) has been authenticated to the domain, and is part of the dynamic group called Authenticated Users. For the love of god, try to avoid giving Authenticated Users any rights to anything critical for this reason.

  4. golfhack2013
    January 6, 2017 at 4:44 pm

    It wasn’t copying the files for me either until I checked the “Run in logged-on user’s security context(user policy option)” on the Common Tab.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: