[opensuse] firefox/thunderbird and root certificates
I'm trying to install a new root CA - I've placed it in /etc/ssl/certs, and done the rehash. Testing openssl s_client works, but firefox doesn't seem to recognise it. Does firefox not look in /etc/ssl/certs or do I need a magic wand? -- Per Jessen, Zürich (14.1°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sun, 13 May 2012 18:41:07 +0200 Per Jessen <per@computer.org> wrote:
I'm trying to install a new root CA - I've placed it in /etc/ssl/certs, and done the rehash. Testing openssl s_client works, but firefox doesn't seem to recognise it. Does firefox not look in /etc/ssl/certs or do I need a magic wand?
Hi Per, FF is fussy. You can clear cache ("recent browsing history") or go to 'Edit -> Preferences -> Advanced -> Encryption -> View Certificates' to manage what it's stored. hth & regards, Carl -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carl Hartung wrote:
On Sun, 13 May 2012 18:41:07 +0200 Per Jessen <per@computer.org> wrote:
I'm trying to install a new root CA - I've placed it in /etc/ssl/certs, and done the rehash. Testing openssl s_client works, but firefox doesn't seem to recognise it. Does firefox not look in /etc/ssl/certs or do I need a magic wand?
Hi Per,
FF is fussy. You can clear cache ("recent browsing history") or go to 'Edit -> Preferences -> Advanced -> Encryption -> View Certificates' to manage what it's stored.
hth & regards,
Carl
Hi Carl, I've already been through FF restart and a complete system ditto (just to be on the safe side). I don't see the certificate under "View Certificates", but how do I get it in there (system wide, not for a single user)? It seems to me that having installed it in /etc/ssl/certs should be enough? -- Per Jessen, Zürich (13.4°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sun, 13 May 2012 19:01:23 +0200 Per Jessen <per@computer.org> wrote:
Carl Hartung wrote:
On Sun, 13 May 2012 18:41:07 +0200 Per Jessen <per@computer.org> wrote:
I'm trying to install a new root CA - I've placed it in /etc/ssl/certs, and done the rehash. Testing openssl s_client works, but firefox doesn't seem to recognise it. Does firefox not look in /etc/ssl/certs or do I need a magic wand?
Hi Per,
FF is fussy. You can clear cache ("recent browsing history") or go to 'Edit -> Preferences -> Advanced -> Encryption -> View Certificates' to manage what it's stored.
hth & regards,
Carl
Hi Carl, I've already been through FF restart and a complete system ditto (just to be on the safe side). I don't see the certificate under "View Certificates", but how do I get it in there (system wide, not for a single user)? It seems to me that having installed it in /etc/ssl/certs should be enough?
I don't know how / where FF stores it's system-wide defaults. Did you see anything under the 'Authorities' tab? Unfortunately, I have to run ... Mother's day today ;-) Anything here? http://www.mozilla.org/projects/security/pki/psm/help_21/using_certs_help.ht... Or here? http://www.herongyang.com/Cryptography/Web-Browser-Firefox-Import-CA-Certifi... good luck! Carl -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 5/13/12 12:01 PM, Per Jessen wrote:
Carl Hartung wrote:
On Sun, 13 May 2012 18:41:07 +0200 Per Jessen<per@computer.org> wrote:
I'm trying to install a new root CA - I've placed it in /etc/ssl/certs, and done the rehash. Testing openssl s_client works, but firefox doesn't seem to recognise it. Does firefox not look in /etc/ssl/certs or do I need a magic wand?
Hi Per,
FF is fussy. You can clear cache ("recent browsing history") or go to 'Edit -> Preferences -> Advanced -> Encryption -> View Certificates' to manage what it's stored.
hth& regards,
Carl
Hi Carl, I've already been through FF restart and a complete system ditto (just to be on the safe side). I don't see the certificate under "View Certificates", but how do I get it in there (system wide, not for a single user)? It seems to me that having installed it in /etc/ssl/certs should be enough?
As far as I know Firefox ships with its own list of trusted authorities. Throwback from MS days where Windows has its own store. No idea where they are stored. When you import one, does it only work for that one user and not system wide? Jim F -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Jim Flanagan wrote:
On 5/13/12 12:01 PM, Per Jessen wrote:
Carl Hartung wrote:
On Sun, 13 May 2012 18:41:07 +0200 Per Jessen<per@computer.org> wrote:
I'm trying to install a new root CA - I've placed it in /etc/ssl/certs, and done the rehash. Testing openssl s_client works, but firefox doesn't seem to recognise it. Does firefox not look in /etc/ssl/certs or do I need a magic wand?
Hi Per,
FF is fussy. You can clear cache ("recent browsing history") or go to 'Edit -> Preferences -> Advanced -> Encryption -> View Certificates' to manage what it's stored.
hth& regards,
Carl
Hi Carl, I've already been through FF restart and a complete system ditto (just to be on the safe side). I don't see the certificate under "View Certificates", but how do I get it in there (system wide, not for a single user)? It seems to me that having installed it in /etc/ssl/certs should be enough?
As far as I know Firefox ships with its own list of trusted authorities. Throwback from MS days where Windows has its own store. No idea where they are stored.
They're all in /usr/share/ca-certificates/mozilla and /etc/ssl/certs has symlinks to those. I've also tried adding my root certificate into /usr/share/ca-certificates/mozilla, also to no avail.
When you import one, does it only work for that one user and not system wide?
Yep. (it wouldn't be right for a regular user to have access to system-wide settings) -- Per Jessen, Zürich (12.8°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sun, 13 May 2012 20:12:28 +0200 Per Jessen <per@computer.org> wrote:
Jim Flanagan wrote:
On 5/13/12 12:01 PM, Per Jessen wrote:
Carl Hartung wrote:
On Sun, 13 May 2012 18:41:07 +0200 Per Jessen<per@computer.org> wrote:
I'm trying to install a new root CA - I've placed it in /etc/ssl/certs, and done the rehash. Testing openssl s_client works, but firefox doesn't seem to recognise it. Does firefox not look in /etc/ssl/certs or do I need a magic wand?
Hi Per,
FF is fussy. You can clear cache ("recent browsing history") or go to 'Edit -> Preferences -> Advanced -> Encryption -> View Certificates' to manage what it's stored.
hth& regards,
Carl
Hi Carl, I've already been through FF restart and a complete system ditto (just to be on the safe side). I don't see the certificate under "View Certificates", but how do I get it in there (system wide, not for a single user)? It seems to me that having installed it in /etc/ssl/certs should be enough?
As far as I know Firefox ships with its own list of trusted authorities. Throwback from MS days where Windows has its own store. No idea where they are stored.
They're all in /usr/share/ca-certificates/mozilla and /etc/ssl/certs has symlinks to those. I've also tried adding my root certificate into /usr/share/ca-certificates/mozilla, also to no avail.
When you import one, does it only work for that one user and not system wide?
Yep. (it wouldn't be right for a regular user to have access to system-wide settings)
Check out this link (hint: scroll to the bottom): https://bugzilla.mozilla.org/show_bug.cgi?id=449498 which was pointed to from here: https://bugzilla.mozilla.org/show_bug.cgi?id=620373 which was pointed to from here: https://bugzilla.redhat.com/show_bug.cgi?id=546221 There /may/ be enough background in these threads to get you moving in the right direction, Per. <fingers crossed> :-) regards, Carl -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carl Hartung wrote:
On Sun, 13 May 2012 20:12:28 +0200
Check out this link (hint: scroll to the bottom):
https://bugzilla.mozilla.org/show_bug.cgi?id=449498
which was pointed to from here:
https://bugzilla.mozilla.org/show_bug.cgi?id=620373
which was pointed to from here:
https://bugzilla.redhat.com/show_bug.cgi?id=546221
There /may/ be enough background in these threads to get you moving in the right direction, Per. <fingers crossed> :-)
Thanks Carl - interesting reading, especially the first one. I wonder if that is the experimental feature Wolfgang talks about: Wolfgang Rosenauer wrote:
There is another experimental feature rolled out in openSUSE to make controlling the system wide cert store easier. But it's neither really documented clearly nor fully tested. I always wanted to do that but there are always other things to do.
I'll get in touch with Wolfgang. -- Per Jessen, Zürich (6.8°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hi, Am 13.05.2012 20:12, schrieb Per Jessen:
Jim Flanagan wrote:
On 5/13/12 12:01 PM, Per Jessen wrote:
Carl Hartung wrote:
On Sun, 13 May 2012 18:41:07 +0200 Per Jessen<per@computer.org> wrote:
I'm trying to install a new root CA - I've placed it in /etc/ssl/certs, and done the rehash. Testing openssl s_client works, but firefox doesn't seem to recognise it. Does firefox not look in /etc/ssl/certs or do I need a magic wand?
Hi Per,
FF is fussy. You can clear cache ("recent browsing history") or go to 'Edit -> Preferences -> Advanced -> Encryption -> View Certificates' to manage what it's stored.
hth& regards,
Carl
Hi Carl, I've already been through FF restart and a complete system ditto (just to be on the safe side). I don't see the certificate under "View Certificates", but how do I get it in there (system wide, not for a single user)? It seems to me that having installed it in /etc/ssl/certs should be enough?
As far as I know Firefox ships with its own list of trusted authorities. Throwback from MS days where Windows has its own store. No idea where they are stored.
They're all in /usr/share/ca-certificates/mozilla and /etc/ssl/certs has symlinks to those. I've also tried adding my root certificate into /usr/share/ca-certificates/mozilla, also to no avail.
Firefox and Thunderbird are not using openssl but NSS (mozilla-nss in packaging). The system wide root store is in mozilla-nss-certs. The problem for the normal user is that this is a binary lib holding the certificates. It can be replaced with an own one (that's why it is a separate package) but this also needs some work obviously. There is another experimental feature rolled out in openSUSE to make controlling the system wide cert store easier. But it's neither really documented clearly nor fully tested. I always wanted to do that but there are always other things to do. If people are interested I can send over the initial document how to work with it and it could be completed and tested along the way. If there is interest I would suggest people to email me directly if they are interested and would keep a small group where I would send details and we can try to get it to work as expected. Once the first rough edges are shaped the documentation can be put into some openSUSE wiki. Wolfgang -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Wolfgang Rosenauer wrote:
Hi,
Firefox and Thunderbird are not using openssl but NSS (mozilla-nss in packaging).
Aha!
The system wide root store is in mozilla-nss-certs. The problem for the normal user is that this is a binary lib holding the certificates. It can be replaced with an own one (that's why it is a separate package) but this also needs some work obviously.
There is another experimental feature rolled out in openSUSE to make controlling the system wide cert store easier. But it's neither really documented clearly nor fully tested. I always wanted to do that but there are always other things to do.
If people are interested I can send over the initial document how to work with it and it could be completed and tested along the way.
Dunno about people, but I'd like to know more. :-) -- Per Jessen, Zürich (6.9°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, 2012-05-14 at 07:48 +0200, Per Jessen wrote:
There is another experimental feature rolled out in openSUSE to make controlling the system wide cert store easier. But it's neither really documented clearly nor fully tested. I always wanted to do that but there are always other things to do. If people are interested I can send over the initial document how to work with it and it could be completed and tested along the way Dunno about people, but I'd like to know more. :-)
+1 The documentation around the whole area of certificate management is *DREADFUL* and *LACKING*. Please contribute anything you have, however fragmentary, to the interwebz. Certificate deployment & management is an administrative nightmware. Various applications and even development environments each hoe-their-own-row. And the tool chain is almost non-existent. Applications like TinyCA and Gnomint just languish.
On Mon, 14 May 2012 06:32:25 -0400 Adam Tauno Williams <awilliam@whitemice.org> wrote:
On Mon, 2012-05-14 at 07:48 +0200, Per Jessen wrote:
There is another experimental feature rolled out in openSUSE to make controlling the system wide cert store easier. But it's neither really documented clearly nor fully tested. I always wanted to do that but there are always other things to do. If people are interested I can send over the initial document how to work with it and it could be completed and tested along the way Dunno about people, but I'd like to know more. :-)
+1
The documentation around the whole area of certificate management is *DREADFUL* and *LACKING*. Please contribute anything you have, however fragmentary, to the interwebz.
Certificate deployment & management is an administrative nightmware. Various applications and even development environments each hoe-their-own-row. And the tool chain is almost non-existent. Applications like TinyCA and Gnomint just languish.
^--- two profoundly true statements! +1 I'll stay in the loop and contribute where I can. Thanks for the offer, Wolfgang ... and for participating in this thread, everybody else! <thumbs up!> Carl -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hi, Am 14.05.2012 15:08, schrieb Carl Hartung:
On Mon, 14 May 2012 06:32:25 -0400 Adam Tauno Williams <awilliam@whitemice.org> wrote:
On Mon, 2012-05-14 at 07:48 +0200, Per Jessen wrote:
There is another experimental feature rolled out in openSUSE to make controlling the system wide cert store easier. But it's neither really documented clearly nor fully tested. I always wanted to do that but there are always other things to do. If people are interested I can send over the initial document how to work with it and it could be completed and tested along the way Dunno about people, but I'd like to know more. :-)
+1
The documentation around the whole area of certificate management is *DREADFUL* and *LACKING*. Please contribute anything you have, however fragmentary, to the interwebz.
Certificate deployment & management is an administrative nightmware. Various applications and even development environments each hoe-their-own-row. And the tool chain is almost non-existent. Applications like TinyCA and Gnomint just languish.
^--- two profoundly true statements! +1
While that thread is not about general CA/PKI management.
I'll stay in the loop and contribute where I can. Thanks for the offer, Wolfgang ... and for participating in this thread, everybody else! <thumbs up!>
For people wanting to check out that experimental feature of Firefox & Co please check out https://etherpad.mozilla.org/6MgiXK43uH . Feel free to contribute to that document if you miss stuff or something is not clear or not working as described. Please keep it clean and focused though. Once people confirm that it's useful and appears to work we can put that up onto some wiki. Wolfgang -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Wolfgang Rosenauer wrote:
For people wanting to check out that experimental feature of Firefox & Co please check out https://etherpad.mozilla.org/6MgiXK43uH .
Feel free to contribute to that document if you miss stuff or something is not clear or not working as described.
That etherpad thing is a bit odd - every 10 seconds I get the popup with "Reestablishing connection" which takes about 10 seconds. Makes it quite difficult to use. I followed the instructions and installed a root CA - after realising that '-E' means "email certificate", I deleted the certificate, then re-added it using '-A' - but none of them worked. I ran firefox with NSS_USE_SHARED_DB=1, but the new certificate did not appear. -- Per Jessen, Zürich (11.2°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 15.05.2012 08:57, schrieb Per Jessen:
Wolfgang Rosenauer wrote:
For people wanting to check out that experimental feature of Firefox & Co please check out https://etherpad.mozilla.org/6MgiXK43uH .
Feel free to contribute to that document if you miss stuff or something is not clear or not working as described.
That etherpad thing is a bit odd - every 10 seconds I get the popup with "Reestablishing connection" which takes about 10 seconds. Makes it quite difficult to use.
hmm, it works for me. Do you know another platform where you can easily put in comments directly?
I followed the instructions and installed a root CA - after realising that '-E' means "email certificate", I deleted the certificate, then re-added it using '-A' - but none of them worked. I ran firefox with NSS_USE_SHARED_DB=1, but the new certificate did not appear.
Sorry for the -E but that's why this is not an official document yet :-( Actually why it does not work is the interesting part but this needs some knowledge and a proper explanation what has been done exactly and what output you got and so on. There are several things to check but it makes no sense to discuss all the details and debugging on that list. Please check first if your Firefox is using the new database: -> check /proc/PID/fd/ for references to files cert8.db and/or cert9.db Please let's go through it via direct mail to figure out what does not work for you. You can also send me the /etc/pki/nssdb directory so I can verify if it looks good. Wolfgang -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, May 14, 2012 at 09:08:50AM -0400, Carl Hartung wrote:
On Mon, 14 May 2012 06:32:25 -0400 Adam Tauno Williams <awilliam@whitemice.org> wrote:
On Mon, 2012-05-14 at 07:48 +0200, Per Jessen wrote:
There is another experimental feature rolled out in openSUSE to make controlling the system wide cert store easier. But it's neither really documented clearly nor fully tested. I always wanted to do that but there are always other things to do. If people are interested I can send over the initial document how to work with it and it could be completed and tested along the way Dunno about people, but I'd like to know more. :-)
+1
The documentation around the whole area of certificate management is *DREADFUL* and *LACKING*. Please contribute anything you have, however fragmentary, to the interwebz.
Certificate deployment & management is an administrative nightmware. Various applications and even development environments each hoe-their-own-row. And the tool chain is almost non-existent. Applications like TinyCA and Gnomint just languish.
^--- two profoundly true statements! +1
I'll stay in the loop and contribute where I can. Thanks for the offer, Wolfgang ... and for participating in this thread, everybody else! <thumbs up!>
For the root certificate management part we have unified the non-mozilla-nss users quite much over the last years. The packages to look for are named "ca-*" where we have tools: ca-certificates This package manages the root ca subsets and contains the tools necessary for it. java-ca-certificates This package plugs in a converter from our system to the Java keystores and the certificates: ca-certificates-mozilla This package contains the extracted certificates from the Mozilla NSS included set. ca-certificates-cacert The CACert root CAs in our framework. Not default installed, but as soon as you install it, the CACert root will be in all tools except Mozilla NSS based ones. man update-ca-certificates for lowlevel tool details. Check "ca-certificates-cacert" source package / spec file on how to do a simple root-ca plugin package for your own needs (we have one for our SUSE internal CA e.g.). Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 13.05.2012 18:41, schrieb Per Jessen:
I'm trying to install a new root CA - I've placed it in /etc/ssl/certs, and done the rehash. Testing openssl s_client works, but firefox doesn't seem to recognise it. Does firefox not look in /etc/ssl/certs or do I need a magic wand?
a quick follow up on that topic. Thanks to Per who helped testing what we have. I've now published the initial howto here: http://en.opensuse.org/SDB:Share_certificates_between_applications_or_whole_... Wolfgang -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, 11 Jun 2012 14:29:58 +0200 Wolfgang Rosenauer <wolfgang@rosenauer.org> wrote:
Am 13.05.2012 18:41, schrieb Per Jessen:
I'm trying to install a new root CA - I've placed it in /etc/ssl/certs, and done the rehash. Testing openssl s_client works, but firefox doesn't seem to recognise it. Does firefox not look in /etc/ssl/certs or do I need a magic wand?
a quick follow up on that topic.
Thanks to Per who helped testing what we have.
I've now published the initial howto here: http://en.opensuse.org/SDB:Share_certificates_between_applications_or_whole_...
Wolfgang
Thanks for following up on this, Wolfgang and Per! Carl -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (6)
-
Adam Tauno Williams -
Carl Hartung -
Jim Flanagan -
Marcus Meissner -
Per Jessen -
Wolfgang Rosenauer