How to add a certificate to the default Firefox profile on RHEL 6?
I want to add a certificate to the CAs that Firefox trusts, before any user profile exists, on RHEL 6 (or CentOS, or Scientific Linux... would expect it to be the same).
I know how to add a certificate to an existing user profile. I don't need to do that at all. I want to do this during a kickstart (unattended, don't want to start X), so I can't really start up Firefox for the user, create a profile, and add it the normal way. I need the certificate to be there the first time a user on the system opens Firefox.
I know that there is no system store of CAs that Firefox reads in addition to the user profile (though it evidently has an internal store somewhere as it trusts way more than what's in the user profile). That's OK, I just want the user profile to be created with the certificate already added.
I have seen some indication that this is possible, or was possible. Eg https://support.mozilla.org/en-US/questions/967376 indicates where to put the cert8.db under Windows; https://askubuntu.com/questions/244582/add-certificate-authorities-system-wide-on-firefox/369858#369858 indicates that /etc/firefox-3.0/profile worked on Ubuntu (there is no such location under RHEL).
I can't determine where to do this under RHEL 6. I've tried adding a certificate database using certutil under the following directories, which were owned by the firefox RPM and seemed promising:
/usr/lib64/firefox/browser
/usr/lib64/firefox/browser/defaults
/usr/lib64/firefox/defaults
... but still, when a user profile is created, certutil indicates the same contents:
certutil -L -d .mozilla/firefox/*.default/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
VeriSign Class 3 Secure Server CA - G3 ,,
DigiCert High Assurance EV CA-1 ,,
Google Internet Authority G2 ,,
I can't even tell where those certificates are coming from; it might be helpful to do even that much.
I do not think that you can do what you are trying to do without altering a user's defaults. The reason why I say this is because of how Mozilla bundles their default set of Root CA's. see How Mozilla Products Respond to User Changes of Root Certificates
the Mozilla Foundation and its wholly-owned subsidiary the Mozilla Corporation include with such software a default set of X.509v3 certificates for various Certification Authorities (CAs).
However with that said you could use Skeleton Files to define a set of defaults for all of your users, and follow the same process that Mozilla outlines, by simply providing your defaults as a thing each user already has when their profile is created.
链接地址: http://www.djcxy.com/p/59668.html上一篇: ptr在stl集合中安全使用?