user@laptop:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 12.04.1 LTS
Release: 12.04
Codename: precise
user@laptop:~$ certutil -d ~/.mozilla/firefox/fk9tyf55.default -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
VeriSign Class 3 Extended Validation SSL CA ,,
Microsoft Internet Authority ,,
DigiCert High Assurance CA-3 ,,
Google Internet Authority ,,
Thawte SGC CA ,,
Akamai Subordinate CA 3 ,,
Microsoft Secure Server Authority ,,
Entrust Certification Authority - L1C ,,
VeriSign Class 3 Extended Validation SSL SGC CA ,,
RapidSSL CA ,,
VeriSign, Inc. ,,
USERTrust Legacy Secure Server CA ,,
VeriSign Class 3 Secure Server CA - G2 ,,
DigiCert High Assurance EV CA-1 ,,
VeriSign Class 3 Secure Server CA - G3 ,,
GeoTrust SSL CA ,,
Go Daddy Secure Certification Authority ,,
Created
January 2, 2013 17:24
-
-
Save anonymous/4436283 to your computer and use it in GitHub Desktop.
Is there a way to change the default SSL CA's for firefox BEFORE the profile is created on Ubuntu?
Tried command line -CreateProfile, but it only creates the pref.js
$ firefox -CreateProfile hasmyca
Xlib: extension "RANDR" missing on display ":1".
Success: created profile 'hasmyca' at '/home/opscode/.mozilla/firefox/paxsfs60.hasmyca/prefs.js'
$ ls -a .mozilla/firefox/*
.mozilla/firefox/profiles.ini
.mozilla/firefox/Crash Reports:
. .. InstallTime20121129165506
.mozilla/firefox/paxsfs60.hasmyca:
. .. prefs.js
I can create a cert8.db and friends ahead of time.
$ certutil -A -n 'myca' -d /etc/firefox/profile -t "CTu,," -u "c" -a -i /tmp/myca.crt
$ ls /etc/firefox/profile
cert8.db key3.db secmod.db
$ certutil -L -d /etc/firefox/profile
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
myca CT,,
but I'm not sure how to help get these files into the profile as it is created...
# mkdir /usr/lib/firefox/default/profile
# certutil -A -n 'myca' -d /usr/lib/firefox/default/profile -t "CTu,," -u "c" -a -i /tmp/myca.crt
# chmod 644 /usr/lib/firefox/defaults/profile/*
# certutil -L -d /usr/lib/firefox/defaults/profile
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
myca CT,,
As a user with no profile who hasn't launched firefox yet...
$ rm -rf ~/.mozilla # just to be sure
$ firefox # exit, we just want to create the profile
$ $ certutil -L -d .mozilla/firefox/*default/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
myca CT,,
Google Internet Authority ,,
I am a bit confused why Google would be injected when I specifically started out with only one CA.
It could have something to do with them funding firefox... but forcing SSL certificates seems... wrong.
As I browsed other sites, the necessary CERTS were automatically added.... I feel violated.
I must be doing something wrong....
$ certutil -L -d .mozilla/firefox/*.default/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
chef.training CT,,
Microsoft Internet Authority ,,
VeriSign Class 3 Extended Validation SSL CA ,,
Google Internet Authority ,,
VeriSign Class 3 Extended Validation SSL SGC CA ,,
Microsoft Secure Server Authority ,,
Akamai Subordinate CA 3 ,,
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Wow, it looks like the default root certs are COMPILED in /usr/lib/firefox/libnssckbi.so !
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=316436#24