Home / ubuntu / Questions / 448586
In Process
Kian
Asked: 2014-04-17 05:58:33 +0800 CST

Deleted CA Certificates in Firefox

  • 772

I was very silly and deleted all my default CA certificates in Firefox. (I'm using Ubuntu). How do I get them all back?

firefox

2 Answers

  1. You can create a new a new temporary profile and then copy the cert8.db file from the new profile.

    To create a new profile you may need to start firefox with:

    firefox -ProfileManager

    and then click "Create profile". Then start firefox once with the new profile to have it create the profile's files.

    After that exit firefox and then copy ~/.mozilla/firefox/[new profile directory]/cert8.db to ~/.mozilla/firefox/[old profile directory]/cert8.db. The profile directories' names end with the name of the profile, so that's how you can know which is the new one and which is the old one.

    Finally switch to your old profile (you may need to start with the -ProfileManager option again) and you should have the default CA configuration.

    • 2

  2. I had a similar problem, so I made a script to recreate the certificates only with pages I like, or dislike, but have to use, as say google:

    address=www.google.com
firefox $(openssl s_client -showcerts -connect $address:443 </dev/null 2>/dev/null|openssl x509 -in - -text |grep ".crt" | sed -e 's/.*URI:\(.*\)\n*/\1/')

    or

    address=www.google.com
firefox $(openssl s_client -connect $address:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -in - -text | grep ".crt" | sed -e 's/.*URI:\(.*\)\n*/\1/')

    and reload original page.

    Or in a more elaborate bash script:

    #!/bin/bash
if [ -n "$1" ]; then
  address=$1
else
  address=$(whiptail --inputbox "Enter a URL of the page with an unknown issuer (without https://):" 8 78  --title "Add a new certificate into Firefox" 3>&1 1>&2 2>&3) 
fi
crt=$(openssl s_client -showcerts -connect $address:443 </dev/null 2>/dev/null|openssl x509 -in - -text |grep ".crt" | sed -e 's/.*URI:\(.*\)\n*/\1/')
echo "Attempt 1: $crt"
if [ -z "$crt"  ];then 
crt=$(openssl s_client -connect $address:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -in - -text | grep ".crt" | sed -e 's/.*URI:\(.*\)\n*/\1/')
echo "Attempt 2 (from crl): $crt"
fi
if [ -n "$crt" ];then 
    firefox $crt
    exit
else
    echo No success in finding of crt file.
fi

    The main task is to extract from URL (say https://www.google.com) so called "Authority Information Access" where there is exact URL of crt file, which can be imported into Firefox. This is the easiest way which I have found.

    The GUI way how to do the same:

    • firefox/preferences/privacy&security/ViewCertificates/CertificatesManager/Servers/addExeption
    • Write the URL into the location: https://www.google.com
    • Then click: GetCertificate
    • Button: View/Details/AuthorityInformationAccess/
    • There are the URL of certificate in the Field value:
    • CA Issuers: URI: http://pki.goog/gsr2/GTSGIAG3.crt
    • OCSP: URI: http://ocsp.pki.goog/GTSGIAG3
    • Copy the address crt file: http://pki.goog/gsr2/GTSGIAG3.crt
    • and open it in firefox window
    • reload original URL I do not why, but sometimes firefox imports a crt file and sometimes it just downloads. So I have to import it via this GUI method.

    Well, the script is faster, but 8 hours of my life, so I hope it will simplify your life... :-)

    • 1