Enabling Custom Trust-store in Mozilla Products

assuming you got your trust-store in place

warning: updates will override this tweak – TODO dpkg file-exception

P11-KIT

use an empty /etc/ssl/certs/ca-certificates.crt instead of mozilla’s built-in store.

apt install p11-kit p11-kit-modules

updatedb
locate libnssckbi.so
locate p11-kit-trust.so

mv -i /usr/lib/thunderbird/libnssckbi.so /usr/lib/thunderbird/libnssckbi.so.dist
cp /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so /usr/lib/thunderbird/libnssckbi.so

mv -i /usr/lib/firefox/libnssckbi.so /usr/lib/firefox/libnssckbi.so.dist
cp /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so /usr/lib/firefox/libnssckbi.so

ls -lF /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so
ls -lF /usr/lib/thunderbird/libnssckbi.so
ls -lF /usr/lib/firefox/libnssckbi.so

Clean-up moar

Remaining Authorities (Software Security Device ones) remain

Preferences -> Advanced // Certificates

get rid of those

cd ~/mozilla/firefox/*.default/
ls -lF *.db
rm -f *.db

cd ~/thunderbird/*.default-release/
ls -lF *.db
rm -f *.db

First-shot acceptance

use an empty trust-store to begin with for acceptance

mv -i /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.dist
touch /etc/ssl/certs/ca-certificates.crt

then use a valid LE cert and you will see FF or Chrome telling you invalid Issuer/Authority

Enable your trust-store

now point to your maintained and clean one

rm /etc/ssl/certs/ca-certificates.crt
ln -s ../cacert.pem  /etc/ssl/certs/ca-certificates.crt

(UNUSED) Clean-up manually & import your ORG’s Root CA

this does not work hence we went for the P11-KIT solution above (and simply import your privace CA with the UI)

the trust-store is an NSS Shared DB (SQLite)

apt install libnss3-tools

cd ~/.thunderbird/
find . | grep .db$
cd ./PROFILE.default-release/

cat cert_override.txt
cat pkcs11.txt

cp cert9.db cert9.db.dist
cp key4.db key4.db.dist

# cert9 & key4
certutil -A -n "Nethence Root CA" -t "TC,TC,TC" -i /etc/ssl/ca.crt -d sql:`pwd`
#-t "TC,C,C"
#-t "TC,TC,TC"
#-t "TC,C,T"
#-t "TC,Cw,Tw"

# cert8
#-d dbm:

ls -lF *.db

Troubles

not much success there

modutil -dbdir ./ -list

Resources

p11-kit trust-store

Project: Trust Storage Module https://p11-glue.github.io/p11-glue/trust-module.html

Spec: Sharing Trust Policy https://p11-glue.github.io/p11-glue/sharing-trust-policy.html

Storing Trust Policy https://p11-glue.github.io/p11-glue/doc/storing-trust-policy/

Firefox trust system trusted certificates https://bgstack15.wordpress.com/2018/10/04/firefox-trust-system-trusted-certificates/

How to add a trusted CA certificate to Chrome and Firefox https://www.techrepublic.com/article/how-to-add-a-trusted-certificate-authority-certificate-to-chrome-and-firefox/

Add certificate authorities system-wide on Firefox –> p11-kit https://askubuntu.com/questions/244582/add-certificate-authorities-system-wide-on-firefox/1036637#1036637

Setting Up Certificate Authorities (CAs) in Firefox https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox

CA/AddRootToFirefox https://wiki.mozilla.org/CA/AddRootToFirefox

nss engine

Setting Up Certificate Authorities (CAs) in Firefox https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox

NSS-Crypto.org https://nss-crypto.org/

Network Security Services https://en.wikipedia.org/wiki/Network_Security_Services

NSS Tools: How to configure Thunderbird profile to use a specific signing/encryption certificate? http://mozilla.6506.n7.nabble.com/NSS-Tools-How-to-configure-Thunderbird-profile-to-use-a-specific-signing-encryption-certificate-td342199.html

NSS tools : modutil https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Reference/NSS_tools_:_modutil

nss trust store (default)

NSS Shared DB https://wiki.mozilla.org/NSS_Shared_DB

NSS Tools certutil https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil

Firefox, Thunderbird, Chromium, Chrome Root CA certificate installer https://gist.github.com/ThomasLeister/f55fa9c2e85b506ce00ed91f059f0138

Add certificate authorities system-wide on Firefox https://askubuntu.com/questions/244582/add-certificate-authorities-system-wide-on-firefox

Mozilla, SSL, and NSS https://me.micahrl.com/blog/mozilla-ssl-nss/

Programmatically Install Certificate into Mozilla https://stackoverflow.com/questions/1435000/programmatically-install-certificate-into-mozilla

Programmatic import of CA Certificate http://web.archive.org/web/20150622023251/http://www.computer42.org:80/xwiki-static/exported/DevNotes/xwiki.DevNotes.Firefox.html#HProgrammaticimportofCACertificate

Importing root certificates into Firefox and Thunderbird http://bahut.alma.ch/2011/07/importing-root-certificates-into.html

About trust flags of certificates in NSS database that can be modified by certutil https://blogs.oracle.com/meena/about-trust-flags-of-certificates-in-nss-database-that-can-be-modified-by-certutil


GUIDES | LECTURES | BENCHMARKS | SMTP HEALTH