Manually editing trusted root CA list in Thunderbird and Firefox
Craig White
craigwhite at azapple.com
Sat Sep 17 10:24:25 UTC 2011
On Sat, 2011-09-17 at 08:52 +0200, Christoph A. wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hi,
>
> I'd like to remove certain root certificates from my trusted list in
> Firefox but any changes I make are not permanent.
>
> Is there a way to have per-user trusted root lists instead of a system
> wide list? I suppose manual changes are not effective because the list
> is managed via the package ca-certificates.
>
> I'd even like to go so far to have separate root ca lists for Firefox
> and Thunderbird because for Thunderbird I only need a handful of CAs.
----
I recently developed a whole methodology of being my own CA using a
series of shell scripts which has taught me quite a bit on the subject
but I've not actually made much effort to uncover all of the details
that comprise the user level certificate stores employed by mozilla
software but the rest of this e-mail summarizes my current level of
understanding. Also, I have been using Ubuntu server these days because
of the terrible lag in RHEL releases exacerbated by the pathetically
slow CentOS re-spins. Ubuntu is decidedly different w/r/t root
certificate store management (other than the Mozilla internally managed
stuff).
I believe that as part of your login/usage of Firefox & Thunderbird, a
profile is created in ~/.mozilla (FF) and ~/.thunderbird (TB) and within
each of your profiles is a file cert8.db file which is a personalized
version of the certificate store relevant only to your profile. This is
what you are maintaining when you 'manage' certificates within FF/TB
Security settings.
As for permanence, I think any time you update FF or TB, it may update
the personal certificate store that your profile(s) maintain but
otherwise should remain untouched (just guessing here...never actually
studied it).
ca-certificates is actually about the root certificate store for the OS
and is not used at all by FF/TB but other software is almost certain to
use it.
Mozilla (actually Netscape) was pretty much the driver of early
development of technologies such as trusted certificates and things like
LDAP (note the similarity of object references such as CN, etc.) and
thus all Mozilla software always maintained its own root certificate
store rather than interface with the root certificate store that the OS
provides.
Craig
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the users
mailing list