Differences

This shows you the differences between two versions of the page.

--- kb:cert_override [2019/04/16 20:39]
dstillman
+++ kb:cert_override [2020/04/07 09:20]
einsweniger add a short description on how to add the certificate to the profile directory
@@ Line 1: / Line 1: @@
-====== Security certificate errors in Zotero ======
+====== Overriding Security Certificate Errors in Zotero ======
-**Note:** These instructions are only for use with security software that intercepts/scans HTTPS connections, a WebDAV server with a self-signed certificate, or an institutional network that monitors encrypted traffic using a custom root certificate authority (CA). You should never override certificate errors unless you [[kb:ssl_certificate_error|understand the consequences]]. When in doubt please contact your network administrator or ISP.
+**Note:** These instructions are only for use with security software that intercepts/scans HTTPS connections, a WebDAV server with a self-signed certificate, or an institutional network that monitors encrypted traffic using a custom root certificate authority (CA). You should never override certificate errors unless you [[kb:ssl_certificate_error|understand the consequences]]. When in doubt, please contact your network administrator or ISP.
 Zotero does not currently provide a graphical way to whitelist self-signed certificates or custom root certificates, so you will need to copy files from a working Firefox installation:
   * If you are using a WebDAV server with a self-signed certificate, you can open the WebDAV URL in Firefox, accept the certificate, and then copy the cert_override.txt file from the [[http://support.mozilla.com/kb/Profiles|Firefox profile directory]] to the [[profile directory|Zotero profile directory]].
-  * If you or your organization is using a custom certificate authority, which can be the case when using security software or connecting via a proxy server, you or your IT department will need to configure [[https://ftp.mozilla.org/pub/firefox/releases/52.9.0esr/|Firefox 52 ESR]] for the custom CA in a new Firefox profile and then copy the cert8.db, key3.db, and secmod.db files from the [[http://support.mozilla.com/kb/Profiles|Firefox profile directory]] to the [[profile directory|Zotero profile directory]]. (Later versions of Firefox will produce a cert9.db file that won't work in the current version of Zotero. An upcoming Zotero release will support the newer format.)
+  * If you or your organization is using a custom certificate authority, which can be the case when using security software or connecting via a proxy server, Zotero may need to be configured to accept the custom CA:
+    * **Windows:** Zotero for Windows will automatically use the system root certificate store, which in most cases should allow it to work automatically like other browsers on the system.
+    * **Mac/Linux**: Zotero is based on Firefox and uses the same certificate mechanism, so you or your IT department will need to configure Firefox for the custom CA in a new Firefox profile and then copy the cert9.db, key4.db, and secmod.db files from the [[http://support.mozilla.com/kb/Profiles|Firefox profile directory]] to the [[profile directory|Zotero profile directory]]. (Prior to Zotero 5.0.78, the cert8.db and key3.db files from Firefox 52 ESR were required.)
+      * To add the CA certificate to the certificate database yourself, you can try to use the [[https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil|nss certutil]]: <code bash>certutil -A -d $ZOTERO_PROFILE_PATH -n $CA_NICKNAME -t C -i $CA_CERT_FILE</code>
 {{tag>kb }}