Hi, Am 13.05.2012 20:12, schrieb Per Jessen:
Jim Flanagan wrote:
On 5/13/12 12:01 PM, Per Jessen wrote:
Carl Hartung wrote:
On Sun, 13 May 2012 18:41:07 +0200 Per Jessen<per@computer.org> wrote:
I'm trying to install a new root CA - I've placed it in /etc/ssl/certs, and done the rehash. Testing openssl s_client works, but firefox doesn't seem to recognise it. Does firefox not look in /etc/ssl/certs or do I need a magic wand?
Hi Per,
FF is fussy. You can clear cache ("recent browsing history") or go to 'Edit -> Preferences -> Advanced -> Encryption -> View Certificates' to manage what it's stored.
hth& regards,
Carl
Hi Carl, I've already been through FF restart and a complete system ditto (just to be on the safe side). I don't see the certificate under "View Certificates", but how do I get it in there (system wide, not for a single user)? It seems to me that having installed it in /etc/ssl/certs should be enough?
As far as I know Firefox ships with its own list of trusted authorities. Throwback from MS days where Windows has its own store. No idea where they are stored.
They're all in /usr/share/ca-certificates/mozilla and /etc/ssl/certs has symlinks to those. I've also tried adding my root certificate into /usr/share/ca-certificates/mozilla, also to no avail.
Firefox and Thunderbird are not using openssl but NSS (mozilla-nss in packaging). The system wide root store is in mozilla-nss-certs. The problem for the normal user is that this is a binary lib holding the certificates. It can be replaced with an own one (that's why it is a separate package) but this also needs some work obviously. There is another experimental feature rolled out in openSUSE to make controlling the system wide cert store easier. But it's neither really documented clearly nor fully tested. I always wanted to do that but there are always other things to do. If people are interested I can send over the initial document how to work with it and it could be completed and tested along the way. If there is interest I would suggest people to email me directly if they are interested and would keep a small group where I would send details and we can try to get it to work as expected. Once the first rough edges are shaped the documentation can be put into some openSUSE wiki. Wolfgang -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org