Distributing an internal CA - interim solution

Post Reply
acarr
Posts:6
Joined:Fri Jun 19, 2009 4:55 am
Distributing an internal CA - interim solution

Post by acarr » Fri Jun 19, 2009 5:22 am

Hi,

I thought I let all know about how I have implemented an interim solution to the problem described here (http://forums.frontmotion.com/viewtopic.php?f=10&t=600) in regards to distributing an internal CA for use with Firefox (automated via Active Directory Group Policy for Internet Explorer and this brings Firefox into line with that somewhat)

My solution has been to build an internal webpage to replace the "You've been updated to the latest version of Firefox" page with instructions and a link on how to re-import our internal CA certificate.

I do this by using the FrontMotion Firefox CE and put a entry into my Mozilla.adm policy for startup.homepage_override_url to point to this new site.
You can verify this is distributed checking in the about:config and it should be there.

Firefox reads this entry and instead points my users at our internal page on each update rather than directly to the Mozilla "Firefox Updated" page that was the default setting before.

I hope this helps someone else. :)

golderm
Posts:19
Joined:Wed Jul 30, 2008 10:33 am

Re: Distributing an internal CA - interim solution

Post by golderm » Tue Jun 23, 2009 11:05 am

You trust your users following (let alone reading in the first place) instructions? Boy I wish I worked there :)

vtnightmare
Posts:18
Joined:Mon Jul 14, 2008 12:52 pm

Re: Distributing an internal CA - interim solution

Post by vtnightmare » Thu Jul 02, 2009 2:28 pm

Yeah really... I second golderm's comment!

DraconPern, buddy :) Any word on how soon you could implement such a feature? I'd be willing to even co-sign on a home-loan for ya if you can implement that :p

--VTK

jrklein
Posts:1
Joined:Thu Oct 15, 2009 2:41 pm
Contact:

Re: Distributing an internal CA

Post by jrklein » Thu Oct 15, 2009 3:22 pm

Thanks to the FrontMotion person/people for their work on the Firefox .MSI files and the GPO ADM templates! We are able to distribute Firefox via Active Directory MSI file and configure basic settings via Active Directory GPO with ease.

Like the other people in this thread, I have a need to distribute an internal SSL certificate to end user Firefox profiles, though I can't expect many hundreds of students and teachers to follow directions as per interim solution from @acarr. I'll pitch a "me too" since I would also really appreciate being able to distribute self-signed SSL or private CA certificates via Active Directory to FrontMotion Firefox Community Edition (FFfirefoxCE).

I've been investigating how to do this manually. It seems I need to install the latest version of Firefox on a machine, create a new Firefox profile (firefox.exe -Profilemanager), import the SSL certificate(s) into this Firefox profile (Options, Advanced, Encryption, View Certificates, Import), confirm the imported certificate is working, then distribute 3 files (cert8.db, key3.db, secmod.db) from my clean Firefox profile to the users. I assume these files include SSL certificates for trusted certificate authorities (CA) too. If this is the case, I'll need to be sure to follow these steps to update the 3 files each time I upgrade to a new version of Firefox, otherwise the 3 files (cert8.db, key3.db, secmod.db) I push to end user profiles will not contain any CA's that might have been added to the latest version of Firefox?

I've also considered using FirefoxADM to distribute settings via Active Directory GPO.

FirefoxADM on Sourceforge - http://sourceforge.net/projects/firefoxadm/
FirefoxADM Blog - http://ick2.wordpress.com/

The "firefoxadm" project lists an "Ability to replace certificates for all user profiles" in "firefoxadm" v0.5.9.3, though I can't tell if it is possible to use "firefoxadm" with the FrontMotion FireFox CE that I've distributed to end users. If it is, this could be an okay temporary solution until FM can distribute self-signed SSL certificates and private CA certificates to Firefox on end user computers.

If I don't receive feedback, I'll give this a try and report back. Heck, I'll probably even try this today if I have time.

-jrk

seraulu1
Posts:1
Joined:Wed Mar 24, 2010 7:33 am

Re: Distributing an internal CA - interim solution

Post by seraulu1 » Wed Mar 24, 2010 7:38 am

jrklein wrote:
FirefoxADM on Sourceforge - http://sourceforge.net/projects/firefoxadm/
FirefoxADM Blog - http://ick2.wordpress.com/

Thanks for the information,that's good and helpful!!!!!
hypnosis training

rtaylor
Posts:1
Joined:Fri Aug 13, 2010 12:39 am

Re: Distributing an internal CA - interim solution

Post by rtaylor » Fri Aug 13, 2010 12:41 am

Thanks for the great support and informative for me....!!

Regards,

Ross Taylor
Stay In Touch - CA Inc (CA) Stock Quotes

Post Reply