Make Firefox use system certificates

Issues related to applications and software problems
Post Reply
User avatar
warron.french
Posts: 279
Joined: 2014/03/27 20:21:58

Make Firefox use system certificates

Post by warron.french » 2018/09/12 00:08:42

Apparently Firefox can use Microsoft's Certificate store.

We have a requirement to manage many certificates, is it possible to manage certificates for Firefox through the Linux certificate store? Somehow get Firefox to recognize certificates in /etc/pki/tls?

Thanks,
\\War

hunter86_bg
Posts: 1330
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: Make Firefox use system certificates

Post by hunter86_bg » 2018/09/12 03:55:54

As per this wiki you can use certutil.

tomkep
Posts: 17
Joined: 2018/04/25 13:30:50

Re: Make Firefox use system certificates

Post by tomkep » 2018/09/14 07:01:58

As far as I can tell, firefox USES system certificate store. You drop your anchors to `/etc/pki/ca-trust/source/anchors`, run `update-ca-trust extract` and firefox picks them.

The other option is to prepare rpm file with anchors in `/usr/share/pki/ca-trust-source/anchors` and to issue the above mentioned command in post install and post uninstall scripts to keep all databases in sync.

User avatar
warron.french
Posts: 279
Joined: 2014/03/27 20:21:58

Re: Make Firefox use system certificates

Post by warron.french » 2018/09/17 18:48:17

hunter86_bg wrote:
2018/09/12 03:55:54
As per this wiki you can use certutil.
Thanks Hunter.
\\War

User avatar
warron.french
Posts: 279
Joined: 2014/03/27 20:21:58

Re: Make Firefox use system certificates

Post by warron.french » 2018/09/17 18:48:39

tomkep wrote:
2018/09/14 07:01:58
As far as I can tell, firefox USES system certificate store. You drop your anchors to `/etc/pki/ca-trust/source/anchors`, run `update-ca-trust extract` and firefox picks them.

The other option is to prepare rpm file with anchors in `/usr/share/pki/ca-trust-source/anchors` and to issue the above mentioned command in post install and post uninstall scripts to keep all databases in sync.
Thanks Tomkep.
\\War

User avatar
warron.french
Posts: 279
Joined: 2014/03/27 20:21:58

Re: Make Firefox use system certificates

Post by warron.french » 2018/09/26 02:08:33

Guys, thank you both for your input.

hunter86_bg- I did read the wiki url; and it essentially talked about using certutil to update the 3 files cert8.db, secmod.db and key3.db; and then suggested distributing the files around.

I was hoping for something more scalable and easy to automate through a shell script, crontab and that solution distributed via a Puppet Module. So far that doesn't look possible.

Tomkep- Have you tried the update-ca-trust extract command approach yourself?

Depending on how you answer, and me attempting this myself in a lab at work to validate I am capable of doing it, this might be scalable.

Anyway, once you reply tomkep, I will post a new question for multiple applications, for all of the applications, such as: Firefox, Citrix Receiver, Oracle JAVA (cacerts), Google Chrome, and the system in general.

Thank you both, sincerely,
\\War

Post Reply