Why install a CA certificate in users' browsers?

Here are at least two reasons:

  • For example, you want to access internal sites authenticated with self-signed certificates.
    • The Certification Authority (CA) validating these certificates is internal.
      • Certificates are not signed with public CAs, so public CAs will not be useful to verify these certificates.
      • The certificate of your internal CA must be added "manually" to browsers.
  • A web proxy has been implemented:
    • The proxy filters URLs accessed on the internet by browsers. It intercepts communications to inspect their content. To do this, the proxy must impersonate remote sites using a Man-In-The-Middle (MITM) approach.
    • It generates self-signed certificates on the fly for each accessed site. These certificates are signed by the proxy's internal CA and verified using the corresponding CA certificate.
    • It is worth noting that MITM is necessary for intercepting HTTPS sessions, particularly for full URL filtering (domain name + URI). For simple domain filtering, this is not required.

Tested on:

  • Ubuntu 24.04
  • Firefox

Installation for a standard user

The easiest way is to:

  1. Import the CA certificate into the user's browser using the graphical interface.
  2. Export the file containing the CA certificate database to other users via the command line.

Reference

Importing the CA certificate into the browser:

  1. Go to Settings > Privacy & Security.
  2. In the Certificates section, click View Certificates.
  3. In the Certificate Manager window, go to the Authorities tab and click Import.
  4. Select the CA certificate (e.g., in .crt format).
  5. In the Downloading Certificate window, check Trust this CA to identify websites.
  6. The CA certificate should appear in the list.

Reference

Installing the certificate for other users:

  • For the target user (e.g., jdoe), navigate to the following directory and back up the original cert9.db file:
cd /home/jdoe/snap/firefox/common/.mozilla/firefox/<random>.default
mv cert9.db cert9.db.BAK
  • Copy the cert9.db file from the main user (e.g., jsmith) to the target user's directory and set the ownership:
cp /home/jsmith/snap/firefox/common/.mozilla/firefox/<random>.default/cert9.db \
/home/jdoe/snap/firefox/common/.mozilla/firefox/<random>.default/
chown jdoe:jdoe cert9.db
  • In the target user's browser, the certificate should now appear in the CA list.