Knowledge Base

Preserving for the future: Shell scripts, AoC, and more

Firefox trust system trusted certificates

bgstack15

Comments

last updated 2019-07-11

Mozilla maintains its own certificate store mechanism (nss), and eschews the system trust store. Somehow, my Fedora systems that are joined to freeipa work correctly with my ipa certs. I suspect Fedora compiles firefox with the directive to read the /etc/ipa/nss directory. On Devuan I have not had success with that location, nor /etc/pki/nss. All of this is still a bit voodoo to me, and it's sad that Firefox trusts [techrepublic.com] the Windows system trusted root cert store but not the GNU/Linux one. To programmatically add your root ca certs to the existing firefox profiles, use a shell scriptlet lifted from firefox - Programmatically Install Certificate Into Mozilla [stackoverflow.com]:

certificateFile="MyCa.cert.pem"
certificateName="MyCA Name" 
for certDB in $(find  ~/.mozilla* ~/.thunderbird -name "cert8.db")
do
  certDir=$(dirname ${certDB});
  #log "mozilla certificate" "install '${certificateName}' in ${certDir}"
  certutil -A -n "${certificateName}" -t "TCu,Cuw,Tuw" -i ${certificateFile} -d ${certDir}
done

For new users, you probably need to do this to /etc/skel/.mozilla/firefox/*.default.

Update

An easier way is possible on debian-based distros with the p11-kit package. After installing that package, you can configure Firefox to include the library in the "Security Devices" in about:preferences -> Privacy and Security tab. Select the "Load" button to add a new entry, and name it something and specify the full path to the library. On Devuan ceres, my file was /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so It would not hurt to restart Firefox, but I think the change was immediate for me.

Command line examples

Last updated 2021-03-20

From a gist on github that links to this very page, you can do this Firefox p11 task from the command line. Add to a single profile:

modutil -dbdir sql:~/.mozilla/firefox/blabla.default-release/ -add "PKCS #11 Trust Storage Module" -libfile /usr/lib64/pkcs11/p11-kit-trust.so

List modules for a single profile:

modutil -dbdir sql:~/.mozilla/firefox/blabla.default-release/ -list

Add Trust Storage Module to all profiles: (see ExplainShell)

dirname $(grep -IrL 'p11-kit-trust.so' ~/.mozilla/firefox/*/pkcs11.txt) | xargs -t -d '\n' -I {} modutil -dbdir sql:{} -force -add 'PKCS #11 Trust Storage Module' -libfile /usr/lib64/pkcs11/p11-kit-trust.so

Remove Trust Storage Module from all profiles: (see ExplainShell)

dirname $(grep -Irl 'p11-kit-trust.so' ~/.mozilla/firefox/*/pkcs11.txt) | xargs -t -d '\n' -I {} modutil -dbdir sql:{} -force -delete "PKCS #11 Trust Storage Module"

References

Internet searches

firefox p11-trust

Weblinks

  1. Original https://www.techrepublic.com/article/how-to-add-a-trusted-certificate-authority-certificate-to-chrome-and-firefox/
  2. Kernel of idea for p11-kit https://askubuntu.com/questions/244582/add-certificate-authorities-system-wide-on-firefox/1036637#1036637
  3. Simple instructions https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox

Comments