On Tue, 2015-06-30 at 09:54 +0200, Wolfgang Rosenauer wrote:
Am 30.06.2015 um 09:20 schrieb Hans Witvliet:
I know you can add manually additional trusted (sub-)CA's into firefox,
by clicking through the GUI's, but...
Is this also possible non-interactively, ie, by means of a shell script?
I presume they end-up somewhere in:
Correct. I think CA certificates are only in cert8.db.
You can work with those databases with the tools provided in
mozilla-nss-tools. Mainly "certutil".
(If Firefox is not running since these files are still BDB databases.)
On the other hand, those files appear to be just
and I see PEM files under:
but also under:
Firefox by default is not using these. They are provided for other
openssl-using applications as an extraction of the default mozilla ca
database which lives in mozilla-nss-certs as file /usr/lib64/libnssckbi.so
So what is the magic required to do this
See if you can work with the above. There are some other possibilities
which are far from well documented like
mozilla-nss-sysinit which allows to have a system global NSS DB managed
by an admin which will get used then as an overlay to the libnssckbi.so.
There is also another pkcs module maintained outside of Mozilla which
apparently uses the same set of files as openssl. I don't remember the
name right now.
Thanks for your reply.
It turned out to be even differently...
All the recognized (sub-) CA's are indeed in /etc/ssl/certs,
But just adding them isn't enough.
When adding them interactively, or with the certutil-tool, name and its
hash together with some attributes are stored in cert8.db (or cert9.db)
Problem I had recently, was that the certutil tool refused to add new
certs, it even refused to list them, com plaining about an old and
I even tried to copy the cert8.db file from one machine to another, but
obviously (...) the format seems to change with every version of
In the end it seemed that a chroot-environment for building systems was
the culprit. Instead of doing it once, I solved it adding those CA's
each time I boot my live image. (not elegant, but it works)
tnx for thinking along.
To unsubscribe, e-mail: opensuse+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse+owner(a)opensuse.org