Firefox trust system trusted certificates

last updated 2019-07-11

Mozilla maintains its own certificate store mechanism (nss), and eschews the system trust store.

Somehow, my Fedora systems that are joined to freeipa work correctly with my ipa certs. I suspect Fedora compiles firefox with the directive to read the /etc/ipa/nss directory. On Devuan I have not had success with that location, nor /etc/pki/nss. All of this is still a bit voodoo to me, and it’s sad that Firefox trusts [techrepublic.com] the Windows system trusted root cert store but not the GNU/Linux one.

To programmatically add your root ca certs to the existing firefox profiles, use a shell scriptlet lifted from firefox – Programmatically Install Certificate Into Mozilla [stackoverflow.com]:

certificateFile="MyCa.cert.pem"
certificateName="MyCA Name" 
for certDB in $(find  ~/.mozilla* ~/.thunderbird -name "cert8.db")
do
  certDir=$(dirname ${certDB});
  #log "mozilla certificate" "install '${certificateName}' in ${certDir}"
  certutil -A -n "${certificateName}" -t "TCu,Cuw,Tuw" -i ${certificateFile} -d ${certDir}
done

For new users, you probably need to do this to /etc/skel/.mozilla/firefox/*.default.

Update

An easier way is possible on debian-based distros with the p11-kit package. After installing that package, you can configure Firefox to include the library in the “Security Devices” in about:preferences -> Privacy and Security tab.

Select the “Load” button to add a new entry, and name it something and specify the full path to the library. On Devuan ceres, my file was /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so

It would not hurt to restart Firefox, but I think the change was immediate for me.

Command line examples

Last updated 2021-03-20

From a gist on github that links to this very page, you can do this Firefox p11 task from the command line.
Add to a single profile:

modutil -dbdir sql:~/.mozilla/firefox/blabla.default-release/ -add "PKCS #11 Trust Storage Module" -libfile /usr/lib64/pkcs11/p11-kit-trust.so

List modules for a single profile:

modutil -dbdir sql:~/.mozilla/firefox/blabla.default-release/ -list

Add Trust Storage Module to all profiles: (see ExplainShell)

dirname $(grep -IrL 'p11-kit-trust.so' ~/.mozilla/firefox/*/pkcs11.txt) | xargs -t -d '\n' -I {} modutil -dbdir sql:{} -force -add 'PKCS #11 Trust Storage Module' -libfile /usr/lib64/pkcs11/p11-kit-trust.so

Remove Trust Storage Module from all profiles: (see ExplainShell)

dirname $(grep -Irl 'p11-kit-trust.so' ~/.mozilla/firefox/*/pkcs11.txt) | xargs -t -d '\n' -I {} modutil -dbdir sql:{} -force -delete "PKCS #11 Trust Storage Module"

References

Internet searches

firefox p11-trust

Weblinks

  1. Original https://www.techrepublic.com/article/how-to-add-a-trusted-certificate-authority-certificate-to-chrome-and-firefox/
  2. Kernel of idea for p11-kit https://askubuntu.com/questions/244582/add-certificate-authorities-system-wide-on-firefox/1036637#1036637
  3. Simple instructions https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox

6 thoughts on “Firefox trust system trusted certificates

  1. Hi,
    Thanks , does the information suitable for firefox38.7 in client computers.
    And I don’t find the path of /usr/lib64 in ubuntu 16.04 server, how can I do it?

    • If you don’t have a /usr/lib64 directory, then you probably have a 32-bit installation. Try /usr/lib. The important point is to find the p11-kit-trust.so file and use its full path. You could run

      find /usr -name 'p11-kit-trust.so' 2>/dev/null

      Which might help you find it if /usr/lib is not a thing.

      • Hi,
        After run find /usr -name ‘p11-kit-trust.so’ 2>/dev/null, it did not return anything.
        Do I need to install firefox in server?

      • Check for a package named “p11-kit-modules” or similar, which provides the p11-kit-trust.so library.

  2. hi,
    I can find package at path /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so,
    How can I setup in ubuntu server and then client computer can trust server CA?

  3. […] Note that both Firefox and Google Chrome don’t look at the CA certificates data. If you want the certificate to be valid in Firefox/Chrome, you will need to take extra steps that are dependent on the browser you are using. For instance, for Firefox, instructions are here. […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.