the batch file Doesn't add CA certificate to x64 bit Firefox(with cert9.db) 58.0.1

[erbayaskin]

Hello Christian,
It can work with 32 bit Firefox, but only 64 bit Firefox can't work succesfull. It can't add CA certificate to only 64 bit Firefox(doesn't have been setuping 32 bit firefox). Maybe certutil.exe adds CA cert to cert8.db, doesn't adds cert9.db. What can i do my CA certificate for to add 64 bit Firefox store. I am waiting your answers. Thanks.
Best regards.
Erbay Aşkın.

[oguilbaud]

Hi,
I search also one solution for this problem. I have tested of rebuild the last NSS certutil version but It's very complicate for me and not work.
If you have resolved this, can you contact me?
Best regards
Olivier

[erbayaskin]

Hi, I solved this problem. I want to learn where you will use this batch file. Best Regards Erbay 2018-03-27 21:23 GMT+03:00 oguilb <[email protected]>:

…

Hi, I search also one solution for this problem. I have tested of rebuild the last NSS certutil version but It's very complicate for me and not work. If you have resolved this, can you contact me? Best regards Olivier — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#10 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AiZ0tign8on816D0IB-vBaHvsEWyx6odks5tioOcgaJpZM4R3Wqo> .

[oguilbaud]

Hi !
I use this script to install my certificate used to connect an websocket.
Best regards
Olivier

[erbayaskin]

@echo off setlocal if not defined programfiles(x86) set programfiles(x86)=%programfiles% set dfltProfile=%programfiles(x86)%\Mozilla Firefox\browser\defaults\Profile if not exist "%programfiles(x86)%\Mozilla Firefox" set dfltProfile=%programfiles%\Mozilla Firefox\browser\defaults\Profile if not exist "%dfltProfile%" mkdir "%dfltProfile%" setlocal ENABLEDELAYEDEXPANSION set replacepath=%~dp0cacert\ FOR /R "%~dp0" %%C IN (cacert\*.crt) DO ( set certificatepath=%%C set cert=!certificatepath:%replacepath%=! set cert=!cert:.crt=! set cert=!cert:.cacert=! set cert=AddedByUser !cert! "%~dp0bin\certutil.exe" -A -n "!cert!" -i "%%C" -t "cTC,cTC,cTC", -d sql:"%dfltProfile%" "%~dp0bin\certutil.exe" -A -n "!cert!" -i "%%C" -t "cTC,cTC,cTC", -d "%dfltProfile%" ) setlocal DISABLEDELAYEDEXPANSION setlocal ENABLEDELAYEDEXPANSION set replacepath=%~dp0cacert\ FOR /D %%U IN ("%systemdrive%\Users\*") DO ( FOR /R "%~dp0" %%C IN (cacert\*.crt) DO ( set certificatepath=%%C set cert=!certificatepath:%replacepath%=! set cert=!cert:.crt=! set cert=!cert:.cacert=! set cert=AddedByUser !cert! FOR /D %%P IN ("%%U\AppData\Roaming\Mozilla\Firefox\Profiles\*") DO "%~dp0bin\certutil.exe" -A -n "!cert!" -i "%%C" -t "cTC,cTC,cTC", -d sql:"%%P" FOR /D %%P IN ("%%U\AppData\Roaming\Mozilla\Firefox\Profiles\*") DO "%~dp0bin\certutil.exe" -A -n "!cert!" -i "%%C" -t "cTC,cTC,cTC", -d "%%P" )) setlocal DISABLEDELAYEDEXPANSION setlocal ENABLEDELAYEDEXPANSION set replacepath=%~dp0cacert\ FOR /R "%~dp0" %%C IN (cacert\*.crt) DO ( set certificatepath=%%C set cert=!certificatepath:%replacepath%=! set cert=!cert:.crt=! set cert=!cert:.cacert=! set cert=AddedByUser !cert! FOR /D %%P IN ("%appdata%\Mozilla\Firefox\Profiles\*") DO ( "%~dp0bin\certutil.exe" -A -n "!cert!" -i "%%C" -t "cTC,cTC,cTC", -d sql:"%%P" ) FOR /D %%P IN ("%appdata%\Mozilla\Firefox\Profiles\*") DO ( "%~dp0bin\certutil.exe" -A -n "!cert!" -i "%%C" -t "cTC,cTC,cTC", -d "%%P" )) setlocal DISABLEDELAYEDEXPANSION setlocal ENABLEDELAYEDEXPANSION set replacepath=%~dp0cacert\ FOR /R "%~dp0" %%C IN (cacert\*.crt) DO ( set certificatepath=%%C set cert=!certificatepath:%replacepath%=! set cert=!cert:.crt=! set cert=!cert:.cacert=! set cert=AddedByUser !cert! "%~dp0bin\certutil.exe" -L -d sql:"%dfltProfile%" | findstr /i "!cert!" >NUL "%~dp0bin\certutil.exe" -L -d "%dfltProfile%" | findstr /i "!cert!" >NUL set myerrorlevel=%errorlevel% if /i "!myerrorlevel!" NEQ "0" echo [ERROR] post-check: no certificate in db "!dfltProfile!": !cert! if /i "!myerrorlevel!" NEQ "0" exit /B 2 ) setlocal DISABLEDELAYEDEXPANSION exit /B 0 2018-04-04 23:17 GMT+03:00 oguilb <[email protected]>:

…

Hi ! I use this script to install my certificate used to connect an websocket. Best regards Olivier — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#10 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AiZ0tvDkeoZyf0bPxkfdzwJ11HxTe2oNks5tlSpxgaJpZM4R3Wqo> .

[HalliHalloSchatz]

with cert9.db there must a sql: for the filestring: ... -d sql:FIREFOXPROFIL

[christian-korneck]

@HalliHalloSchatz thanks, can you send a merge request?

[stefan123t]

@christian-korneck as erbayaskin suggested and @alliHalloSchatz reminded us, there is only a sql: indicator missing between -d and the to open/edit a cert9.db via sqllite.

I think erbayaskin pasted his solution in this issue based on some older trunk.
Though it needs some polishing by adding/removing newlines.
He also changed some of the variables from firefoxdefaultprofile to dfltProfile, certfile to cert and certpath to certificatepath.
Besides that he switched from cacert*.pem to cacert*.crt.
And finally he dropped the copying of the empty cert.db8, key3.db and secmod.db as that may not make sense for x86_64 bit where one would need an empty cert.db9.

Though he did not change the path of the programfiles(x86) to 64bit, which you fixed in the current master branch.

I tried to redo the changes he did to your current trunk and have the file attached for x86_64 to be modified too.
Please double check and add to your repo as I am behind a firewall with no access to generate a pull request.

Kind regards,
Stefan

add-certs.txt

[christian-korneck]

thanks everyone and sorry for the late response, I didn't have attention on this repo for a while. I'll have a look at it soon. If anyone wants to send a PR I'd appreciate it. (If not, that's ok too, but might take me longer).

[stefan123t]

Hi Christian,
thanks for your quick response.
I have digged a bit deeper and it appears the following has changed from 2009 onwards according to the pk12util man page.
I.e. the files that ebayaskin removed from the script should also not be present in the current 32bit version.
Instead these are replaced by two sqllite databases and the pkcs11.txt file.
Kind regards,
Stefan

PK12UTIL(1) NSS Security Tools PK12UTIL(1)
https://www.linux.org/docs/man1/pk12util.html

_NSS DATABASE TYPES
NSS originally used BerkeleyDB databases to store security information. The last versions of these legacy
databases are:
· cert8.db for certificates
· key3.db for keys
· secmod.db for PKCS #11 module information
BerkeleyDB has performance limitations, though, which prevent it from being easily used by multiple
applications simultaneously. NSS has some flexibility that allows applications to use their own, independent
database engine while keeping a shared database and working around the access issues. Still, NSS requires more
flexibility to provide a truly shared security database.

   In 2009, NSS introduced a new set of databases that are SQLite databases rather than BerkleyDB. These new
   databases provide more accessibility and performance:
   ·   cert9.db for certificates
   ·   key4.db for keys
   ·   pkcs11.txt, which is listing of all of the PKCS #11 modules contained in a new subdirectory in the
       security databases directory

   Because the SQLite databases are designed to be shared, these are the shared database type. The shared
   This line can be set added to the ~/.bashrc file to make the change permanent.
   Most applications do not use the shared database by default, but they can be configured to use them. For
   example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS
   databases:
   ·   https://wiki.mozilla.org/NSS_Shared_DB_Howto
   For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki:
   ·   https://wiki.mozilla.org/NSS_Shared_DB_