I have a app (.NET) that automatically adds a certificate to the Windows root store via:
X509Store rootStore = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
rootStore.Open(OpenFlags.ReadWrite);
rootStore.Add(certificate);
rootStore.Close();
Internet Explorer then knows this certificate. But Firefox don't as it has its own certificate store.
Is there any way to accomplish this without overriding current Firefox certificates (read somewhere to copy cert8.db but thats not possible due to multiple customers)?
I simply want to automatically "add" one certificate to the Firefox store.
Thank you in advance.
You can use NSS to manage certificates on the local install. Not sure how well it plays with .NET (if at all) but if the environment is predictable you could probably resort to running an executable.
First try which already works nearly as I want:
The documentation is here: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil
I downloaded the binaries from:
https://www.felixrr.pro/wp-content/uploads/2012/06/nss-3.13.5-nspr-4.9.1-compiled-x86.zip
Then run the following commands from within the extracted zip-directory (otherwise CMD would use certutil of Windows) which worked:
// Add certificate to cert8.db (Db will be reloaded on next FF start)
certutil.exe -A -n "SomeName" -t "Cu,p,p" -i "C:\Test\cert.pem" -d "%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\5drs48sb.default"
// Show all certificates in cert8.db
certutil.exe -L -d "%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\5drs48sb.default"
After restarting FF I could successfully navigate to my SSL page without certificate error.
The only command that didnt work yet is the delete command which returns the error 'certutil.exe: could not find certificate named "SomeName": security library: bad database.':
certutil.exe -D -n "SomeName" -d "%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\5drs48sb.default"
Related
I am facing a weird issue for an Command line application created from Xcode . I am running a script to fetch expiry date of one of the certificates available in Keychain access in Mac using the below command
security find-certificate -c "CertificateNameHere" -p | openssl x509 -text | grep "Not After"
When I run it locally through Xcode I am able to fetch the date. But when I Run the app as a service from one of the Library folder the expiry date is not fetched. Instead I am getting a error
PEM routines:CRYPTO_internal:no start line:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.140.1/libressl-2.8/crypto/pem/pem_lib.c:684:Expecting: TRUSTED CERTIFICATE
Though the certificate is trusted
I tried lot of solutions like Trying to find a proper solution to get the expiry date of one the certificates available in keychain but there is no luck. So I am posting it in stackoverflow. I tried another solution to use Mac Xcode security framework to fetch the date using swift but The issue persists.
The probable reason to your trouble is access permissions.
When the script is run as a service it has another user and different/none environment context (Like crontab service).
You can fix this by providing the service with proper login user, and initialize the service with proper source command to respective .profile or .bash_profile script.
I have configured the android Phone (Samsung Galaxy S8) to use proxy. I can connect to mitm.it. I can also see some requests captured by Mitmproxy.
However, I got no internet connection when I try to search anything in Google.
Any hints on what happened and how to fix it?
Android 7.1 and higher do not longer allow the use of custom certificates manually added by the user but if you have a phone with super user access, you can make it work via ADB.
Android stores its system certificates in /system/etc/security/cacerts/. If you take a look at your device, you will see that the certificates have hashed names, eg. "a1234b0d.0". To intercept app traffic, you need to find out the hash of your certificate
openssl x509 -inform PEM -subject_hash_old -in mitmproxy-ca-cert.pem | head -1
Then rename your certificate accordingly
mv mitmproxy-ca-cert.pem <your_hash_value_in_here_without_carets>.0
And finally move it to where your device's system certificates are. For this, however, you need to remount the system directory first in order to get write access
adb shell su -c "mount -o rw,remount,rw /system"
adb push your_certificate /sdcard/your_certificate
adb shell su -c "mv /sdcard/your_certificate /system/etc/security/cacerts/your_certificate"
adb shell su -c "chmod 644 /system/etc/security/cacerts/your_certificate"
adb reboot
If that doesn't work, I can remember (not the source, though) reading about Android Nougat also not regarding certificates that expire in more than 2 years. The certificates created by mitmproxy should be fine. Burpsuite or Fiddler ones did not work for me though.
Google Apps use certificate pinning and so it can detect the "fake" http://mitm.it/cert/pem that you downloaded to your phone.
With the latest upgrade of Firefox (version 58), our product install has begun "failing" on Firefox. Basically, our installer code will query Firefox to see if our cert is already installed with nss-certutil -L -n name and if it is not found we then install the cert with nss-certutil -A ....
This is a "root" cert that we have self signed, and is only used for communication with a local node server. This has worked fine up until now (I can duplicate in version 58 .. maybe 57 as well going by some customer reports). The install script runs without error but Firefox can not connect using the secure connection to the node server.
Looking at the list of installed certs from options/security/certificates it's not there, but if I run the nss-certutil -L -n name it is listed.
Evidently the profiles have changed in version 58 but I can not find anything that would relate to this.
Another piece of info is I can manually import the cert, and that works, so the cert itself seems to be fine.
Puzzled and out of ideas. Any thoughts?
It looks like latest FF uses SQL Lite database for certificate trust, but nss-certutil by default uses legacy format.
You need to specify explicit 'sql:' prefix before FF profile path. Example:
-A -n "Test CA" -i "C:\test\ca1.cer" -t "CT,," -d sql:"C:\Users\test\AppData\Roaming\Mozilla\Firefox\Profiles\mgr140m4.default"
Please refer
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Reference/NSS_tools_:_certutil and -d option description
I have already tried a lots of options available for this problem on stackoverflow, unfortunately nothing is working for me so far.
It started with composer installation. My env details are listed below:
OS: Windows 7
PHP V 7.1.10, XAMPP version
I am running MINGW64, (which was installed with git v2.1.5)
curl --version
curl 7.56.1 (x86_64-w64-mingw32) libcurl/7.56.1 OpenSSL/1.0.2l (WinSSL) zlib/1.2.11 libidn2/2.0.4 libssh2/1.8.0 nghttp2/1.26.0
Release-Date: 2017-10-23
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile SSPI Kerberos SPNEGO NTLM SSL libz TLS-SRP HTTP2 HTTPS-proxy MultiSSL Metalink
Now here it seems CURL with OpenSSL is installed correctly.
When I was doing composer require or install it was reported me an error as follows:
I searched and figured out that its the local certificate problem so I downloaded the certificate/bundle from https://curl.haxx.se/docs/caextract.html, placed the certificate under C:\xampp\php\extras\ssl\ and changed the PHP.ini
curl.cainfo="C:\xampp\apache\bin\curl-ca-bundle.crt"
openssl.cafile="C:\xampp\php\extras\ssl\curl-ca-bundle.crt"
this never worked. Then I placed my certificates under C:\Windows\System32\curl-ca-bundle.crt, changed the ini still it didn't work.
Then I downloaded cacert.pem from
https://gist.github.com/VersatilityWerks/5719158/download
and repeated steps to make it work with pem file.
However I am afraid still no success here.
Can anyone help me whats wrong going on here? Any help in this direction is much
appreciated.
This is for Windows users, using curl-7.57.0-win64-mingw or similar version.
I have already shared this on another thread, but I think Windows users might stumble upon this question and my answer might help. So, sharing the step-by-step process.
This error basically means, curl is failing to verify the certificate of the target URI. If you trust the issuer of the certificate (CA), you can add that to the list of trusted certificates (e.g. It's a local IIS certificate, and you trust it for your development purposes).
For that, browse the URI (e.g. on Chrome) and follow the steps
Right click on the HTTPS secure padlock 🔒 icon on address bar
Click on certificate, it'll open a window with the certificate details
Go to 'Certification Path' tab
Click the ROOT certificate
Click View Certificate, it'll open another certificate window
Go to Details tab
Click Copy to File... button, it'll open the export wizard
Click Next
Select 'Base-64 encoded X.509 (.CER)'
Click Next
Give a friendly name that you can remember e.g. 'MyDomainX.cer' (browse to desired directory) and save
Click Next
Click Finish, it'll save the certificate file
So what did we do?
We basically saved the root certificate for the desired site (that we actually trust) as a local file. What do we do next?
Add that certificate to the list of trusted certificates
Now open this .cer file and copy the contents (including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----)
Now go to the directory where curl.exe is saved e.g. C:\SomeFolder\curl-7.57.0-win64-mingw\bin
Open the curl-ca-bundle.crt file with a text editor (right click and open with...)
Append the copied certificate text to the end of the file. Save
What did we do now?
We added the certificate (content) to curl's main certificate bundle. So now curl will recognize this certificate and allow the domain.
Now your command should execute fine on curl.
Just posting this here for posterity as I spent the last 2 hours on this.
NOTE: only tested on windows.
Make sure you have the curl version with ssl included ( the latest exe installer has it)
Download the cacert.pem from http://curl.haxx.se/docs/caextract.html
Rename cacert.pem to curl-ca-bundle.crt
Move the cacert.pem file to the curl.exe directory.
Fixed.
Let's get this out of the way... I :
use Visual Studio 2012
develop VB.NET applications - mostly .NET framework 3.5, some 2.0.
use Windows 7 for development (users are also using Windows 7. There are a small number of internal users (less than 40).
I am also going to state that I am new at this and don't fully understand this process. I do understand the underlying concepts of encryption/hashing/keys etc., but I can't tell you why you might need a .cer file and not a .pfx file.
Now then...
We have an application that uses a certificate to sign its manifest that has worked for three (or so) years. We recently upgraded from Visual Studio 2008 to Visual Studio 2012, having basically skipped Visual Studio 2010. Somewhere in that process the certificate is now invalid or corrupted.
The proposed solution: Make a new one with makecert.exe "just like we did last time". No sense paying for a certificate when all we need it for is our own small set of users and the small convenience of not seeing that "do you trust this publisher?" message (I think?).
When trying to publish, the exact error is:
Cannot publish because a project failed to build.
An error occurred while signing: Failed to sign
bin\Release\app.publish\setup.exe. SignTool Error: The signer's
certificate is not valid for signing. SignTool Error: An error
occurred while attempting to sign: bin\Release\app.publish\setup.exe
Now, the article Support Certificates In Your Applications With The .NET Framework 2.0 says:
for desktop applications, you typically install certificates in the
user store.
So when I look at the user store (via MMC with certificate snap-in) I see:
Where the red line is is the OLD/INVALID certificate. One other one is still unexpired, with my username on it (2013-06-20).
When I go to select from the store, I see this:
And in case you are curious, the other intuitive place to put one of these looks like this:
So how do I add another one where the old/bad one is?
Here is what I have tried:
Following these instructions, I executed
makecert -n "CN=TempCA" -r -sv TempCA.pvk TempCA.cer
Now I have a .pvk file, and a .cer file. Then I followed the instructions in Pvk2Pfx (Windows Drivers) and ran
pvk2pfx.exe -pvk TempCA.pvk -spc TempCA.cer -pfx TempCA.pfx
Now I have a .pfx file... (is this what I need?), but when trying to import to the certificate store using MMC, the password I used is supposedly wrong no matter what - even if I copy and paste it in. (It sounds like a bug in the import program... I can reproduce this.)
Trying another route, after importing the .cer file, it will not show up in the "select from store" window in Visual Studio, so that's useless.
I've spent a day on this and am ready to give up, but I can't. What do I need to do?
The article Using Makecert to Create Certificates for Development helped about 90% of the way...
The rest was understanding that I could do one of two things (both of these options require the certificate must be in a "trusted root" area like "Trusted Root Certification Authority", or must be signed by one that is there):
In Visual Studio, under the "signing" tab I could just use "Select from file" and use the .cer file.
If I just put my .cer file in the "personal" folder, it will appear as an option from the "select from store" button (I may need to restart the computer or Visual Studio).
The answer by Watki02 is quite helpful but missing a few details. Also, key information in that blog post should also be posted here. So...
Create your own root authority certificate:
CD \path\to\whereyouwant
makecert -n "CN=Make Up A Name" -a sha1 -r -sv MakeUpANameCertificateAuthority.pvk MakeUpANameCertificateAuthority.cer -ss MakeUpANameCertificateAuthority -sr localMachine
Password prompts
You will be prompted to create a password and then submit a password. I used the same password for both prompts
User certificate
makecert -pe -n "CN=CN=Make Up A Name User" -ss MY -a sha1 -iv MakeUpANameCertificateAuthority.pvk -ic MakeUpANameCertificateAuthority.cer -sv MakeUpAName.pvk MakeUpAName.cer
Password prompts again
I used the same password as above again
Make a portable file for exchange
pvk2pfx -pvk "MakeUpAName.pvk" -spc "MakeUpAName.cer" -pfx "MakeUpAName.pfx" -pi SamePasswordAgain
Send the file to your private clients
"MakeUpAName.pfx"
Install the certificate
c:> MMC.EXE
MENU FILE -> Add / Remove Snapin
Certificates -> Add -> Computer Account -> Finish -> OK
MENU Action->All Tasks->Import
Go through the wizard
Choose *.pfx format
Choose file
Continue with default options