- Проблемы доверия сертификатам безопасности в браузере Firefox
- Метод 1
- Метод 2
- MterSch’s Blog
- QlikView, tech, and other stuff
- Certificate import in Firefox on Android
- Share this:
- Like this:
- 4 thoughts on “ Certificate import in Firefox on Android ”
- Firefox android install certificate
- Search Support
- CA certificate won’t install
- Chosen solution
- Manual certificate installation on devices with Android 11
- CA/AddRootToFirefox
- Contents
- Installing Certificates Into Firefox
- Import via Policy
- Built-in Windows and MacOS Support
- Windows Enterprise Support
- MacOS Enterprise Support
- Linux
- Preload the Certificate Databases
- Certutil
- Credits
Проблемы доверия сертификатам безопасности в браузере Firefox
Чтобы AdGuard мог успешно фильтровать HTTPS-трафик в Firefox, браузер должен доверять сертификату AdGuard. Этого можно добиться по-разному в зависимости от версии Firefox.
Метод 1
Пока что этот метод работает только в Firefox Nightly версии 90.0a1. Как только бета- и обычная сборка Firefox достигнут версии 90, данный метод будет также применим к ним.
Чтобы Firefox Nightly доверял сертификату AdGuard, выполните следующие шаги:
- Запустите браузер.
- Перейдите в Настройки > О Firefox Nightly.
- Несколько раз быстро нажмите на логотип Firefox Nightly в верху экрана.
- Перейдите в раздел Настройки > Secret Settings.
- Включите настройку Use third party CA certificates.
Метод 2
Этот метод будет работать только на устройствах с рут-доступом!
При использовании платформы Windows, владельцам Samsung может понадобиться установка данной утилиты.
В том случае, если вы получили системное уведомление permission denied, вам необходимо сначала перенести указанные файлы в свободную от разрешений директорию. А уже после перенести их в нужную папку в браузере Firefox.
Полная команда будет иметь примерное такой вид:
- adb shell su
- cp -R data/data/org.mozilla.firefox/files/mozilla/xxxxxxx.default/cert9.db sdcard/Download
- cp -R data/data/org.mozilla.firefox/files/mozilla/xxxxxxx.default/key4.db sdcard/Download
- cp -R sdcard/Download/cert9.db data/data/org.mozilla.
/files/mozilla/yyyyyy.default - cp -R sdcard/Download/key4.db data/data/org.mozilla.
/files/mozilla/yyyyyy.default
Если adb shell su не срабатывает, изначально следует попробовать применить adb shell , а уже после su .
Источник
MterSch’s Blog
QlikView, tech, and other stuff
Certificate import in Firefox on Android
I run my own private SSL infrastructure (root CA, intermediate CAs and server/client certificates). This requires installing the CA certificates on computers and mobile devices I use, including various Android devices.
For applications which use the default Android certificate store, this is the familiar ‘Settings’ -> ‘Security’ -> ‘Install from device memory/SD card’ dance (see for instance this link). However, my favorite browser is Firefox, and that has its own certificate store… According to this article it’s just a matter of putting it on a webserver, and opening the URL in Android. Too bad this didn’t work for me… right away.
The secret to this turns out to be setting the MIME type returned by the webserver to application/x-x509-ca-cert (for certificate authorities) or application/x-x509-user-cert (for client certificates). To do this, check out your webserver manual (e.g. the mod_mime manual page for Apache). Alternative if you have Python installed, you could use the following script as a mini-webserver to serve .crt files with the correct MIME type:
import SimpleHTTPServer
import SocketServer
PORT = 8000
Handler = SimpleHTTPServer.SimpleHTTPRequestHandler
Handler.extensions_map = <'.crt': 'application/x-x509-ca-cert', '.txt': 'text/plain'>
httpd = SocketServer.TCPServer((«», PORT), Handler)
print «serving at port», PORT
httpd.serve_forever()
Share this:
Like this:
4 thoughts on “ Certificate import in Firefox on Android ”
Thanks, I would never have worked this out myself.
NodeJS also works well for this purpose, e.g. https://pastebin.com/Dcu4eApW
or just browse to file:///sdcard and click the certificate file
I couldn’t get this to work (at least not in an emulator with 4.4 (KitKat) and Firefox 58.0.2). No message whatsoever, and when trying to access a site with a certificate signed by this CA certificate I still get the SEC_ERROR_UNKNOWN_ISSUER.
Источник
Firefox android install certificate
Search Support
Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.
Learn More
CA certificate won’t install
- 2 replies
- 1 has this problem
- 940 views
- Last reply by patrickdbridge1
Hi, I’m trying to install a certificate to use adguard with Firefox for Android (a .crt file) , but it will not work. It always says that it failed to install. Attached is a screenshot of what happens when I try to use adguard with Firefox for Android.
Adguard has 2 workarounds for this. However, one involves about:config, which the new Firefox for Android does not have, and the other workaround requires ADB. See link below:
Chosen solution
I was able to solve it by downloading version 68.11 from apkmirror, installing the certificate normally and then updating to the current version via the Play store
Источник
Manual certificate installation on devices with Android 11
To be able to filter HTTPS traffic (which is extremely important as most ads use HTTPS), AdGuard needs to install a certificate into your device’s user storage. On older versions of Android OS this was done automatically during the onboarding process or later via AdGuard settings, and it only required a couple of taps. Unfortunately, on Android 11 automatic certificate installation is no longer available. Now a manual installation is required.
To manually install AdGuard certificate:
1) Go to the app’s main screen and tap on HTTPS filtering (it will be highlighted in red if AdGuard certificate is not installed yet)
2) Enable the switch at the top
3) A new screen will appear, tap twice on the Next button and then on Save it now when prompted to download an AdGuard certificate
4) After the certificate is downloaded, you will see a new screen. Tap on the Open security settings button there
5) This will bring up system settings. Scroll down to Advanced, open it and then tap on Encryption & credentials
6) Tap on Install certificate and then on CA certificate
7) A warning message will appear. Read through it and tap Install anyway to proceed
8) Select the recently downloaded AdGuard certificate. A CA certificate installed toast message should show up
9) The AdGuard certificate is successfully installed and HTTPS filtering is working now!
If you update from Android 10 to Android 11, there’s a chance that already installed certificate will still be accepted. Otherwise, the HTTPS filtering string on the main screen will be red and you’ll need to go through the same process of reinstalling a certificate manually.
Источник
CA/AddRootToFirefox
Contents
Installing Certificates Into Firefox
There are lots of organizations that use their own private certificate authorities (CAs) to issue certificates for their internal servers. Browsers that attempt to validate certificates issued by a private CA certificate will display errors unless they are configured to recognize these certificates. Since Firefox does not use the operating system’s certificate store by default, these CA certificates must be added in to Firefox using one of the following methods.
Import via Policy
As of Firefox 64, an enterprise policy can be used to add CA certificates to Firefox. This is now the method recommended for organizations to install private trust anchors.
The ImportEnterpriseRoots key will cause Firefox to trust root certificates that are in the system certificate store as long as the key is set to “true”. We recommend this option to add trust for a private PKI to Firefox. It is equivalent to setting the «security.enterprise_roots.enabled» preference as described in the next section.
The Install key by default will search for certificates in the locations listed below. Starting in Firefox 65, you can specify a fully qualified path (see cert3.der and cert4.pem in this example). If Firefox does not find something at your fully qualified path, it will search the default directories.
Certificates can be located in the following locations:
- Windows
- %USERPROFILE%\AppData\Local\Mozilla\Certificates
- %USERPROFILE%\AppData\Roaming\Mozilla\Certificates
- MacOS
- /Library/Application Support/Mozilla/Certificates
/Library/Application Support/Mozilla/Certificates
- /Library/Application Support/Mozilla/Certificates
- Linux
- /usr/lib/mozilla/certificates
- /usr/lib64/mozilla/certificates
Built-in Windows and MacOS Support
Windows and MacOS enterprise root support can be enabled by setting the «security.enterprise_roots.enabled» preference to true in about:config.
Windows Enterprise Support
As of version 49, Firefox can be configured to automatically search for and import CAs that have been added to the Windows certificate store by a user or administrator. To do so, set the preference «security.enterprise_roots.enabled» to true. In this mode, Firefox will inspect the HKLM\SOFTWARE\Microsoft\SystemCertificates registry location (corresponding to the API flag CERT_SYSTEM_STORE_LOCAL_MACHINE) for CAs that are trusted to issue certificates for TLS web server authentication. Any such CAs will be imported and trusted by Firefox, although note that they may not appear in the Firefox’s certificate manager. It is expected that administration of these CAs (e.g. trust configuration) will occur via built-in Windows tools or other 3rd party utilities. Note also that for such configuration changes to take effect in Firefox either the preference will have to be toggled off and on again or Firefox will have to be restarted. As of version 52, Firefox will also search the registry locations HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates and HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates (corresponding to the API flags CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY and CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE, respectively).
Note: As of this writing, this setting only imports certificates from the Windows Trusted Root Certification Authorities store, not corresponding Intermediate Certification Authorities store. See bug 1473573. If you are experiencing “unknown issuer” errors even after enabling this feature, try configuring your TLS server to include the necessary intermediate certificates in the TLS handshake.
MacOS Enterprise Support
As of Firefox 63, this feature also works for MacOS by importing roots found in the MacOS system keychain.
Linux
On Linux, certificates can be programmatically imported by using p11-kit-trust.so from p11-kit (add the module using the “Security Devices” manager in Preferences or using the modutil utility).
Preload the Certificate Databases
Some people create a new profile in Firefox, manually install the certificates they need, and then distribute the various db files (cert9.db, key4.db and secmod.db) into new profiles using this method. This is not the recommended approach, and this method only works for new profiles.
Certutil
If you’re a real diehard, you can use certutil to update the Firefox certificate databases from the command line.
Credits
The original content of this wiki page was copied (with permission) from Mike Kaply’s Blog.
Источник
