Installing Certificates Into Firefox

UPDATE: Due to various bugs around accessing the certDB too early, I've updated the code to update the certDB on a delay.

There are lots of organizations that use their own certificate authority to issue certificates for their internal servers. Unfortunately since Firefox does not use the Windows certificate store[1], these have to be manually added into Firefox. This post will cover how to get those CAs into Firefox.


The easiest way to get your CAs into Firefox is to use CCK2. CCK2 allows certificate authorities and server certificates to be installed into the browser. It supports PEM, DER and text. It also allows you to designate certificate overrides (sites where certificate errors are ignored). Just go to the certificate page and point to either a URL or a local file where the certificate is contained.

AutoConfig via JavaScript

If you're using AutoConfig without CCK2, you can still use the API that the CCK2 uses to install certificate authorities. Here's what it looks like to install the root certificate:

var observer = {
  observe: function observe(aSubject, aTopic, aData) {
    var certdb = Components.classes[";1"].getService(Components.interfaces.nsIX509CertDB);
    var certdb2 = certdb;
    try {
      certdb2 = Components.classes[";1"].getService(Components.interfaces.nsIX509CertDB2);
    } catch (e) {}
    cert = "MIIHPT...zTMVD"; // This should be the certificate content with no line breaks at all.
    certdb2.addCertFromBase64(cert, "C,C,C", "");
Services.obs.addObserver(observer, "profile-after-change", false);

The three Cs mean to trust the certficate for servers, email and objects. The third parameter is the name, but it is ignored. If you want to install binary certificates, things get more complicated. In that case, I'd definitely recommend the CCK2.


PolicyPak supports adding certificate authorites to Firefox via Group Policy.

Preload the certificate databases

Some people create a new profile in Firefox, install the certificates they need, and then distribute the various db files (cert8.db, key3.db and secmod.db) into new profiles using this method. I don't recommend this method (and it only works for new profiles).


If you're a real diehard, you can use certutil to update the Firefox certificate databases from the command line.

Hopefully one of these methods will work for you. Did I miss a method? Let me know in the comments.

[1] See: bug 432802 and bug 472113

What About Firefox Deployment?

You might have noticed that I spend most of my resources around configuring Firefox and not around deploying Firefox. There are a couple reasons for that:

  1. There really isn’t a "one size fits all" solution for Firefox deployment because there are so many products that can be used to deploy software within different organizations.
  2. Most discussions around deployment devolve into a "I wish Mozilla would do a Firefox MSI" discussion.

That being said, there are some things I can recommend around deploying Firefox on Windows.

If you want to modify the Firefox installer, I’ve done a few posts on this in the past:

If you need to integrate add-ons into that install, I've posted about that as well:

You could also consider asking on the Enterprise Working Group mailing list. There's probably someone that's already figured it out for your software deployment solution.

If you really need an MSI, check out FrontMotion. They've been doing MSI work for quite a while.

And if you really want Firefox to have an official MSI, consider working on bug 598647. That's where an MSI implementation got started but never finished.

I Used the CCK2 Wizard - What Now?

One of the most common questions I get asked is what to do with the result that the CCK2 Wizard produces. This post will address that question.

After you've completed your customizations using the CCK2 Wizard, you have two choices: create an extension or use AutoConfig.

Let's start with AutoConfig (which is what I recommend.) AutoConfig is the tried and true method of customizing Firefox that's been around forever. You can read an old post about it here. I'm also working on an AutoConfig eBook that I hope to have out soon.

With AutoConfig, things are quite simple (at least on Windows and Linux). The output of the CCK2 Wizard is a zip file that can be unzipped in the same directory where the Firefox executable is located. It puts all the necessary files in the right places and you can immediately start Firefox and see your customizations. Things are not so good on Mac starting with Firefox 34. AutoConfig is broke right now due to the new Apple signing requirements. We're investigating the best way to fix that.

Your other option with the CCK2 is to generate an extension. This produces an XPI file which can simply be installed in Firefox the same way any other extensions is installed - by dragging and dropping it onto the browser. If you want to deploy the extension you've created, I've documented a number of the different ways you can integrate an extension into Firefox. Each of these methods has positives and negatives - it's up to you to decide what to do for your situation.

Some people might wonder why I don't just have the CCK2 generate a new installer. In my experience, there are so many different ways that people deploy applications that it would not be worth it. In the past, I have documented how to bundle your changes with the Windows installer if you are so inclined.

Hopefully this gets most folks started with the CCK2. Please let me know if I've missed something.

Keyword Search for Christmas

I just wanted to say thanks to Mozilla for selecting Keyword Search as one of the best add-ons of 2014.

To celebrate, I've finally updated Keyword Search to work better with the search changes in Firefox 34. You can specify separate search engines for about:home and the new tab page and you get images that match the search you are using.

I also added a new feature for international users that allows to be used regardless of the country you are in. This became an issue recently when Google started forcing all searches to country searches even if you start them on

You can download the latest version here.

Happy holidays!

Managing Firefox with Group Policy and PolicyPak

A lot of people ask me how to manage Firefox using Windows Group Policy. To that end, I have been working with a company called PolicyPak to help enhance their product to have more of the features that people are asking for (not just controlling preferences.) It's taken about a year, but the results are available for download now.

You can now manage the following things (and more) using PolicyPak, Group Policy and Firefox:

  • Set and lock almost all preference settings (homepage, security, etc) plus most settings in about:config
  • Set site specific permissions for pop-ups, cookies, camera and microphone
  • Add or remove bookmarks on the toolbar or in the bookmarks folder
  • Blacklist or whitelist any type of add-on
  • Add or remove certificates
  • Disable private browsing
  • Turn off crash reporting
  • Prevent access to local files
  • Always clear saved passwords
  • Disable safe mode
  • Remove Firefox Sync
  • Remove various buttons from Options

If you want to see it in action, you can check out these videos.

And if you've never heard of PolicyPak, you might have heard of the guy who runs it - Jeremy Moskowitz. He's a Group Policy MVP and literally wrote the book on Group Policy.

On a final note, if you decide to purchase, please let them know you heard about it from me.

Sunsetting the Original CCK Wizard

In the next few weeks, I'll be sunsetting the original CCK Wizard and removing it from AMO. It really doesn't work well with current Firefox versions anyway, so I'm surprised it still has so many users.

If for some reason you're still using the old CCK Wizard, please let me know why so I can make sure what you need is integrated into the CCK2.

I'm also looking for ideas for new posts for my blog, so if there is some subject around deploying or customizing Firefox that you want to know more about, please let me know.

New Features in the CCK2

If you haven't checked out the CCK2 lately, you should.

One of the coolest features I've added recently is the ability to hide things on any arbitrary window that is opened by Firefox. For instance, if you want to hide the bottom box in the about dialog, you can add "#aboutDialog #bottomBox" to the hidden UI section. You can also use it to hide arbitrary content in about:addons. I've also done major work on the clipboard capabilities API, so it should be more robust. There have also been quite a few bug fixes. You can keep up on all the latest changes here.

Download the latest CCK2 by clicking here.

If you want to request a feature, you can do so on the CCK2 support site. Priority for any requests is given to paying customers.

And if the CCK2 saves you time and money, please consider getting a support contract. It ensures that I'll be able to keep working on the CCK2.

Disabling Buttons In Preferences

I get asked a lot how to disable certain buttons in preferences like Make Firefox the default browser or the various buttons in the Startup groupbox. Firefox does have a way to disable these buttons, but it's not very obvious. This post will attempt to remedy that.

These buttons are controlled through preferences that have the text "disable_button" in them. Just changing the preference to true isn't enough, though. The preference has to be locked, either via the CCK2 or AutoConfig. What follows is a mapping of all the preferences to their corresponding buttons.

Advanced->General->Make Firefox the default browser
General->Use Current Pages
General->Use Bookmark
General->Restore to Default
Advanced->Certificates->View Certificates
Advanced->Certificates->Security Devices
Advanced->Update->Show Update History
Privacy->History->Show Cookies
Security->Passwords->Saved Paswords

As a bonus, there's one more preference you can set and lock - pref.downloads.disable_button.edit_actions. It prevents the changing of any actions on the Applications page in preferences.

Firefox 24 ESR EOL

I just want to take a moment to remind everyone that the Firefox 24 ESR will be officially replaced by the Firefox 31 ESR this coming Tuesday, October 14, 2014. At that time, the Firefox 24 ESR will be unsupported. Firefox 24 ESR users will be automatically upgraded to the Firefox 31 ESR.

I would hope by now everyone has tested with the Firefox 31 ESR, but if you haven't, it might be time to start.

The CCK2 has been fully updated to work with Firefox 31 and beyond.

On another note, there are major packaging changes coming to Firefox on Mac due to changes to the way applications are signed. You can read more about it in this bug. This will primarily impact the locations of autoconfig files, preferences and the distribution directory. I'll try to find some time soon to document these changes.


One of the things that I get asked the most is how to prevent a user from accessing the local file system from within Firefox. This generally means preventing file:// URLs from working, as well as removing the most common methods of opening files from the Firefox UI (the open file button, menuitem and shortcut). Because I consider this outside of the scope of the CCK2, I wrote an extension to do this and gave it out to anyone that asked. Unfortunately over time it started to have a serious case of feature creep.

Going forward, I've decided to go back to basics and just produce a simple local file blocking extension. The only features that it supports are whitelisting by directory and whitelisting by file extension. I've made that available here. There is a README that gives full information on how to use it.

For the other functionality that used to be a part of FileBlock, I'm going to produce a specific extension for each feature. They will probably be AboutBlock (for blocking specific about pages), ChromeBlock (for preventing the loading of chrome files directly into the browser) and SiteBlock (for doing simple whitelisting).

Hopefully this should cover the most common cases. Let me know if you think there is a case I missed.