On 2013-10-03 at 11:04 -0700, Zack Williams wrote: > On Oct 3, 2013, at 10:01 AM, Matt Disney <mdis...@gmail.com> wrote: > > Is anyone doing something you like for managing SSL CA certs (for example, > > distributing your own internal CA cert) on a broad range of operating > > systems and browsers in a work/enterprise environment? > > > > Windows+IE is easy enough through AD. It's all the other stuff I'm > > wondering about (Mac, Linux, Firefox, Chrome, Safari, other?). > > For Mac, certificates are stored the keychain. The `security` CLI tool can > modify keychains. Example here: > > http://derflounder.wordpress.com/2011/03/13/adding-new-trusted-root-certificates-to-system-keychain/ > > In practical use, I distribute certs with a script, with the cert(s) embedded > in the script via heredoc so I only have a single file to manage.
Years ago, I wrote some instructions for Mozilla and Chrome based stuff, amongst others; the text is still up at <https://www.security.spodhuis.org/> (but should probably move to a sub-page and be updated). While the Chrome enterprise controls let you set a lot of policy controls and master preferences, they don't let you set machine-wide trust stores, unfortunately. :( So if you're not using an OS where the certificate storage is integrated with OS facilities (such as on a Mac), then you're bitten by this: https://code.google.com/p/chromium/issues/detail?id=209788 and the best advice I have to offer is to use the certutil manipulations I describe in my page above. For _other_ settings in Chrome, the "Chrome for Business FAQ" might prove useful: https://support.google.com/chrome/a/answer/188447?hl=en http://www.chromium.org/administrators/policy-list-3 I have not checked recently to see which browsers, mail-clients, etc have transitioned to the NSS Shared DB -- I'm not optimistic; for those that have, the ~/.pki/nssdb location will catch them all. But in practice, you're going to want to script up checking a few other locations too, with each browser profile (and handling multiple browser profiles). I don't know of a machine-wide cert db location for NSS, my vague recollection from when I looked is that the default certs get baked into the library. Oh, this brings back memories of the pain of getting Thunderbird configured correctly, with its separate trust stores. -Phil _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
