The Firefox certificates are stored in the user profile in the cert8.db database.

[Addendum: The latest versions of Firefox allow the use of system certificates (managed by Gpo for instance) by setting the “Security.Enterprise_roots.Enabled” to True ]

The file is copied to the user profile only at first launch of Firefox.
You can import certificates into the file then deploy it as default for new users by putting it in the folder core\browser\defaults\profile of the installation

For more customization details, see this post: Customize Firefox ESR 31

What happens then when you want to add a new certificate to the user db ?
You could add the certificate to the cert8.db and redeploy it, but this would overwrite potential changes made by the user
The other way to proceed is to use Mozilla’s Certutil tool to add the certificate.
BTW, Do not try to use the default Certutil that comes with windows, this won’t work.

First step, download the tool(s) needed by certutil

Download NSS 3.11 for windows

Download Nspr 4.6 for windows

Note that those are not the latest versions of the binaries, as the download folders for later versions do not contain windows binaries,
You could try to “build” a later version of the tool, but this is not the purpose of this post.

Second Step, mix it all together

Unzip NSS to a folder
You should get the following folder structure

/bin (this is where you can find the certutil.exe utility, but it won’t work straight out of the box)

copy the contents of the /lib folder to the /bin folder

Unzip NSPR

You should get the following folder structure (same as for NSS)


copy the contents of the NSPR /lib folder to the NSS /bin folder

copy the certificate you want to deploy at the same level
you should get this structure

/bin (now also contains libs from nss and nspr)

In order to import the certificate into the user cert8.db, the command is the following

Certutil.exe -A -d path to folder where cert8.db can be found -i certificate -n Name of cert -t level of trust

The directory is different for each user. In order to find it, you need to look into the following file:
C:\Users\ *UserName* \AppData\Roaming\Mozilla\Firefox\profiles.ini

Here is an example of a profiles.ini



For the user testuser cert8.db file will be found in the folder C:\Users\testuser\AppData\Roaming\Mozilla\Firefox\Profiles\hicgn0ja.default

Here is the vbscript I use for deploying the cert: (no support will be provided, test before using it).
CONST ForReading = 1
Set objNetwork = WScript.CreateObject(“WScript.Network”)
strUserName = objNetwork.UserName
Set fso = CreateObject(“Scripting.FileSystemObject”)
Set ObjShell = Createobject(“”)
Set FileSystem = CreateObject(“Scripting.FileSystemObject”)
strDBFileLocation = “cert8.db”

mydir = Replace(WScript.ScriptFullName,WScript.ScriptName,””)
strProfileLocation = “C:\Users\” & strUserName & “\AppData\Roaming\Mozilla\Firefox\profiles.ini”

If (fso.FileExists(strProfileLocation)) Then
‘wscript.echo “file exists”
strData = FileSystem.OpenTextFile(strProfileLocation ,ForReading).ReadAll
arrLines = Split(strData,vbCrLf)

For Each strLine in arrLines
If Left(strLine, 14) = “Path=Profiles/” then
strProfileName = Right(strLine, (len(strLine) – 14))
End if

strProfileFolder = “C:\Users\” & strUserName & “\AppData\Roaming\Mozilla\Firefox\Profiles\” & strProfileName

if (fso.FolderExists(strProfileFolder)) Then
myfile = strProfileFolder & “\cert8.db”
oldfile = strProfileFolder & “\cert8.old”
FileSystem.CopyFile myfile, oldfile, True
‘wscript.echo “folder exists”
End if

Certcmd = “Bin\Certutil.exe” & ” ” & “-A -d ” & strProfileFolder & ” ” & “-i” & ” ” & “certname.cer” & ” -n” & ” certname -t” & ” ” & “””CT,c,c””” Certcmd,0,True

End if

I did not try yet to use other features of the Certutil tool or of other tools that come with the downloads.
more information can be found on Mozilla’s website