Am 30.06.2015 um 09:20 schrieb Hans Witvliet:
Hi all,
I know you can add manually additional trusted (sub-)CA's into firefox, by clicking through the GUI's, but... Is this also possible non-interactively, ie, by means of a shell script?
I presume they end-up somewhere in: ll .mozilla/firefox/default/*.db ~/.mozilla/firefox/default/cert8.db ~/.mozilla/firefox/default/key3.db ~/.mozilla/firefox/default/secmod.db
Correct. I think CA certificates are only in cert8.db. You can work with those databases with the tools provided in mozilla-nss-tools. Mainly "certutil". https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tool... (If Firefox is not running since these files are still BDB databases.)
On the other hand, those files appear to be just hashes. and I see PEM files under: /etc/ssl/certs/ but also under: /usr/share/ca-certificates/mozilla/
Firefox by default is not using these. They are provided for other openssl-using applications as an extraction of the default mozilla ca database which lives in mozilla-nss-certs as file /usr/lib64/libnssckbi.so
So what is the magic required to do this automatically?
See if you can work with the above. There are some other possibilities which are far from well documented like mozilla-nss-sysinit which allows to have a system global NSS DB managed by an admin which will get used then as an overlay to the libnssckbi.so. There is also another pkcs module maintained outside of Mozilla which apparently uses the same set of files as openssl. I don't remember the name right now. Wolfgang -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org