assuming you got your trust-store in place
warning: updates will override this tweak – TODO dpkg file-exception
use an empty /etc/ssl/certs/ca-certificates.crt instead of mozilla’s built-in store.
apt install p11-kit p11-kit-modules updatedb locate libnssckbi.so locate p11-kit-trust.so mv -i /usr/lib/thunderbird/libnssckbi.so /usr/lib/thunderbird/libnssckbi.so.dist cp /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so /usr/lib/thunderbird/libnssckbi.so mv -i /usr/lib/firefox/libnssckbi.so /usr/lib/firefox/libnssckbi.so.dist cp /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so /usr/lib/firefox/libnssckbi.so ls -lF /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so ls -lF /usr/lib/thunderbird/libnssckbi.so ls -lF /usr/lib/firefox/libnssckbi.so
Remaining Authorities (Software Security Device ones) remain
Preferences -> Advanced // Certificates
get rid of those
cd ~/mozilla/firefox/*.default/ ls -lF *.db rm -f *.db cd ~/thunderbird/*.default-release/ ls -lF *.db rm -f *.db
use an empty trust-store to begin with for acceptance
mv -i /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.dist touch /etc/ssl/certs/ca-certificates.crt
then use a valid LE cert and you will see FF or Chrome telling you invalid Issuer/Authority
now point to your maintained and clean one
rm /etc/ssl/certs/ca-certificates.crt ln -s ../cacert.pem /etc/ssl/certs/ca-certificates.crt
this does not work hence we went for the P11-KIT solution above (and simply import your privace CA with the UI)
the trust-store is an NSS Shared DB (SQLite)
apt install libnss3-tools cd ~/.thunderbird/ find . | grep .db$ cd ./PROFILE.default-release/ cat cert_override.txt cat pkcs11.txt cp cert9.db cert9.db.dist cp key4.db key4.db.dist # cert9 & key4 certutil -A -n "Nethence Root CA" -t "TC,TC,TC" -i /etc/ssl/ca.crt -d sql:`pwd` #-t "TC,C,C" #-t "TC,TC,TC" #-t "TC,C,T" #-t "TC,Cw,Tw" # cert8 #-d dbm: ls -lF *.db
not much success there
modutil -dbdir ./ -list
Project: Trust Storage Module https://p11-glue.github.io/p11-glue/trust-module.html
Spec: Sharing Trust Policy https://p11-glue.github.io/p11-glue/sharing-trust-policy.html
Storing Trust Policy https://p11-glue.github.io/p11-glue/doc/storing-trust-policy/
Firefox trust system trusted certificates https://bgstack15.wordpress.com/2018/10/04/firefox-trust-system-trusted-certificates/
How to add a trusted CA certificate to Chrome and Firefox https://www.techrepublic.com/article/how-to-add-a-trusted-certificate-authority-certificate-to-chrome-and-firefox/
Add certificate authorities system-wide on Firefox –> p11-kit https://askubuntu.com/questions/244582/add-certificate-authorities-system-wide-on-firefox/1036637#1036637
Setting Up Certificate Authorities (CAs) in Firefox https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox
CA/AddRootToFirefox https://wiki.mozilla.org/CA/AddRootToFirefox
Setting Up Certificate Authorities (CAs) in Firefox https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox
NSS-Crypto.org https://nss-crypto.org/
Network Security Services https://en.wikipedia.org/wiki/Network_Security_Services
NSS Tools: How to configure Thunderbird profile to use a specific signing/encryption certificate? http://mozilla.6506.n7.nabble.com/NSS-Tools-How-to-configure-Thunderbird-profile-to-use-a-specific-signing-encryption-certificate-td342199.html
NSS tools : modutil https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Reference/NSS_tools_:_modutil
NSS Shared DB https://wiki.mozilla.org/NSS_Shared_DB
NSS Tools certutil https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil
Firefox, Thunderbird, Chromium, Chrome Root CA certificate installer https://gist.github.com/ThomasLeister/f55fa9c2e85b506ce00ed91f059f0138
Add certificate authorities system-wide on Firefox https://askubuntu.com/questions/244582/add-certificate-authorities-system-wide-on-firefox
Mozilla, SSL, and NSS https://me.micahrl.com/blog/mozilla-ssl-nss/
Programmatically Install Certificate into Mozilla https://stackoverflow.com/questions/1435000/programmatically-install-certificate-into-mozilla
Programmatic import of CA Certificate http://web.archive.org/web/20150622023251/http://www.computer42.org:80/xwiki-static/exported/DevNotes/xwiki.DevNotes.Firefox.html#HProgrammaticimportofCACertificate
Importing root certificates into Firefox and Thunderbird http://bahut.alma.ch/2011/07/importing-root-certificates-into.html
About trust flags of certificates in NSS database that can be modified by certutil https://blogs.oracle.com/meena/about-trust-flags-of-certificates-in-nss-database-that-can-be-modified-by-certutil