[opensuse] importing CA's into firefox
Hi all, I know you can add manually additional trusted (sub-)CA's into firefox, by clicking through the GUI's, but... Is this also possible non-interactively, ie, by means of a shell script? I presume they end-up somewhere in: ll .mozilla/firefox/default/*.db ~/.mozilla/firefox/default/cert8.db ~/.mozilla/firefox/default/key3.db ~/.mozilla/firefox/default/secmod.db As if i backup/restore cert8.db manually added CA's disappear. On the other hand, those files appear to be just hashes. and I see PEM files under: /etc/ssl/certs/ but also under: /usr/share/ca-certificates/mozilla/ So what is the magic required to do this automatically? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 30.06.2015 um 09:20 schrieb Hans Witvliet:
Hi all,
I know you can add manually additional trusted (sub-)CA's into firefox, by clicking through the GUI's, but... Is this also possible non-interactively, ie, by means of a shell script?
I presume they end-up somewhere in: ll .mozilla/firefox/default/*.db ~/.mozilla/firefox/default/cert8.db ~/.mozilla/firefox/default/key3.db ~/.mozilla/firefox/default/secmod.db
Correct. I think CA certificates are only in cert8.db. You can work with those databases with the tools provided in mozilla-nss-tools. Mainly "certutil". https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tool... (If Firefox is not running since these files are still BDB databases.)
On the other hand, those files appear to be just hashes. and I see PEM files under: /etc/ssl/certs/ but also under: /usr/share/ca-certificates/mozilla/
Firefox by default is not using these. They are provided for other openssl-using applications as an extraction of the default mozilla ca database which lives in mozilla-nss-certs as file /usr/lib64/libnssckbi.so
So what is the magic required to do this automatically?
See if you can work with the above. There are some other possibilities which are far from well documented like mozilla-nss-sysinit which allows to have a system global NSS DB managed by an admin which will get used then as an overlay to the libnssckbi.so. There is also another pkcs module maintained outside of Mozilla which apparently uses the same set of files as openssl. I don't remember the name right now. Wolfgang -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, 2015-06-30 at 09:54 +0200, Wolfgang Rosenauer wrote:
Am 30.06.2015 um 09:20 schrieb Hans Witvliet:
Hi all,
I know you can add manually additional trusted (sub-)CA's into firefox, by clicking through the GUI's, but... Is this also possible non-interactively, ie, by means of a shell script?
I presume they end-up somewhere in: ll .mozilla/firefox/default/*.db ~/.mozilla/firefox/default/cert8.db ~/.mozilla/firefox/default/key3.db ~/.mozilla/firefox/default/secmod.db
Correct. I think CA certificates are only in cert8.db.
You can work with those databases with the tools provided in mozilla-nss-tools. Mainly "certutil". https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tool... (If Firefox is not running since these files are still BDB databases.)
On the other hand, those files appear to be just hashes. and I see PEM files under: /etc/ssl/certs/ but also under: /usr/share/ca-certificates/mozilla/
Firefox by default is not using these. They are provided for other openssl-using applications as an extraction of the default mozilla ca database which lives in mozilla-nss-certs as file /usr/lib64/libnssckbi.so
So what is the magic required to do this automatically?
See if you can work with the above. There are some other possibilities which are far from well documented like mozilla-nss-sysinit which allows to have a system global NSS DB managed by an admin which will get used then as an overlay to the libnssckbi.so.
There is also another pkcs module maintained outside of Mozilla which apparently uses the same set of files as openssl. I don't remember the name right now.
Wolfgang
Hi Wolfgang, Thanks for your reply. It turned out to be even differently... All the recognized (sub-) CA's are indeed in /etc/ssl/certs, But just adding them isn't enough. When adding them interactively, or with the certutil-tool, name and its hash together with some attributes are stored in cert8.db (or cert9.db) Problem I had recently, was that the certutil tool refused to add new certs, it even refused to list them, com plaining about an old and unsupport layout. I even tried to copy the cert8.db file from one machine to another, but obviously (...) the format seems to change with every version of firefox. In the end it seemed that a chroot-environment for building systems was the culprit. Instead of doing it once, I solved it adding those CA's each time I boot my live image. (not elegant, but it works) tnx for thinking along. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 07/01/2015 04:52 PM, Hans Witvliet wrote:
I even tried to copy the cert8.db file from one machine to another, but obviously (...) the format seems to change with every version of firefox.
In the end it seemed that a chroot-environment for building systems was the culprit. Instead of doing it once, I solved it adding those CA's each time I boot my live image. (not elegant, but it works)
tnx for thinking along.
Hans, If you are adding new certs, or have custom certs to move from box to box, see: $ man update-ca-trust and look at *update-ca-trust extract* -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (3)
-
David C. Rankin -
Hans Witvliet -
Wolfgang Rosenauer