user@laptop:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 12.04.1 LTS
Release: 12.04
Codename: precise
user@laptop:~$ certutil -d ~/.mozilla/firefox/fk9tyf55.default -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
VeriSign Class 3 Extended Validation SSL CA ,,
Microsoft Internet Authority ,,
DigiCert High Assurance CA-3 ,,
Google Internet Authority ,,
Thawte SGC CA ,,
Akamai Subordinate CA 3 ,,
Microsoft Secure Server Authority ,,
Entrust Certification Authority - L1C ,,
VeriSign Class 3 Extended Validation SSL SGC CA ,,
RapidSSL CA ,,
VeriSign, Inc. ,,
USERTrust Legacy Secure Server CA ,,
VeriSign Class 3 Secure Server CA - G2 ,,
DigiCert High Assurance EV CA-1 ,,
VeriSign Class 3 Secure Server CA - G3 ,,
GeoTrust SSL CA ,,
Go Daddy Secure Certification Authority ,,
Created
January 2, 2013 17:24
-
-
Save anonymous/4436283 to your computer and use it in GitHub Desktop.
Is there a way to change the default SSL CA's for firefox BEFORE the profile is created on Ubuntu?
There are 148 in /usr/share/ca-certificates/mozilla
# ls /usr/share/ca-certificates/mozilla/ | wc -l
148
# ls /usr/share/ca-certificates/mozilla/ | grep Verisign
Verisign_Class_1_Public_Primary_Certification_Authority.crt
Verisign_Class_1_Public_Primary_Certification_Authority_-_G2.crt
Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.crt
Verisign_Class_2_Public_Primary_Certification_Authority.crt
Verisign_Class_2_Public_Primary_Certification_Authority_-_G2.crt
Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.crt
Verisign_Class_3_Public_Primary_Certification_Authority.crt
Verisign_Class_3_Public_Primary_Certification_Authority_-_G2.crt
Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt
Verisign_Class_4_Public_Primary_Certification_Authority_-_G2.crt
Verisign_Class_4_Public_Primary_Certification_Authority_-_G3.crt
This doesn't work either...
# cp /path/to/myca.crt /usr/local/share/ca-certificates
# update-ca-certificates
Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....done.
I can run this as the user, but that puts up a prompt that the user need check and box and click through.
firefox /path/to/myca.crt
Downloading Certificate
You have been asked to trust a new Certificate Authority (CA).
Do you want to trust "your.server" for the following purposes?
[ ] Trust this CA to identify websites.
[ ] Trust this CA to identify email users.
[ ] Trust this CA to identify software developers.
Before trusting this CA for any purpose, you should examine it's certificate and it's policy and procedures (if available).
[View] Examine CA certificate
[Cancel][OK]
Wow, it looks like the default root certs are COMPILED in /usr/lib/firefox/libnssckbi.so !
Tried command line -CreateProfile, but it only creates the pref.js
$ firefox -CreateProfile hasmyca
Xlib: extension "RANDR" missing on display ":1".
Success: created profile 'hasmyca' at '/home/opscode/.mozilla/firefox/paxsfs60.hasmyca/prefs.js'
$ ls -a .mozilla/firefox/*
.mozilla/firefox/profiles.ini
.mozilla/firefox/Crash Reports:
. .. InstallTime20121129165506
.mozilla/firefox/paxsfs60.hasmyca:
. .. prefs.js
I can create a cert8.db and friends ahead of time.
$ certutil -A -n 'myca' -d /etc/firefox/profile -t "CTu,," -u "c" -a -i /tmp/myca.crt
$ ls /etc/firefox/profile
cert8.db key3.db secmod.db
$ certutil -L -d /etc/firefox/profile
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
myca CT,,
but I'm not sure how to help get these files into the profile as it is created...
# mkdir /usr/lib/firefox/default/profile
# certutil -A -n 'myca' -d /usr/lib/firefox/default/profile -t "CTu,," -u "c" -a -i /tmp/myca.crt
# chmod 644 /usr/lib/firefox/defaults/profile/*
# certutil -L -d /usr/lib/firefox/defaults/profile
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
myca CT,,
As a user with no profile who hasn't launched firefox yet...
$ rm -rf ~/.mozilla # just to be sure
$ firefox # exit, we just want to create the profile
$ $ certutil -L -d .mozilla/firefox/*default/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
myca CT,,
Google Internet Authority ,,
I am a bit confused why Google would be injected when I specifically started out with only one CA.
It could have something to do with them funding firefox... but forcing SSL certificates seems... wrong.
As I browsed other sites, the necessary CERTS were automatically added.... I feel violated.
I must be doing something wrong....
$ certutil -L -d .mozilla/firefox/*.default/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
chef.training CT,,
Microsoft Internet Authority ,,
VeriSign Class 3 Extended Validation SSL CA ,,
Google Internet Authority ,,
VeriSign Class 3 Extended Validation SSL SGC CA ,,
Microsoft Secure Server Authority ,,
Akamai Subordinate CA 3 ,,
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I've found a way to do it after profile creation, but I want new users to have this new CA by default.