Add support for an administrator-editable system-wide certificate store



11 years ago
a month ago


(Reporter: trs80, Unassigned)


Firefox Tracking Flags

(Not tracked)




11 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv: Gecko/20080702 Iceape/1.1.11 (Debian-1.1.11-1)
Build Identifier: 

With the switch to sqlite for softtoken, it should be possible to add support for a system-wide cert store that can be easily edited by administrators. Currently to  add another CA cert requires a recompile of nssckbi, which requires a full build environment.

Reproducible: Always

Steps to Reproduce:
1. Want to edit the list of CA certificates for all applications that use NSS.
Actual Results:  
Have to recompile nssckbi, possibly once for each application if the system NSS isn't used.

Expected Results:  
Install the certificate into one database which is then used by all apps.

The softtoken db could be stored in /etc/nss (Linux), %COMMONFILES%\Mozilla\NSS (Windows) or /Library/Mozilla/NSS (OS X). Loading it would happen in nss/lib/nss/nssinit.c, probably in nss_Init() just after the existing call to nss_FindExternalRoot(), but outside the if (!SECMOD_HasRootCerts()) {} block.

I think PSM will require additional work in mozilla/security/manager/ssl/src/nsNSSComponent.cpp nsNSSComponent::InstallLoadableRoots() as bug 176501 causes all modules with root certs to be unloaded. For similar reasons (profile sharing across platforms) it's probably a good idea to follow a similar strategy and only load it temporarily, using SECMOD_LoadUserModule.
NSS already has a function by which an application can cause additional 
cert/key DB pairs to be opened and used simultaneously with the pair that
is opened during NSS initialization.  So, I'm not sure that any change to
NSS is required here.  If PSM wants to include more DB pairs, it just needs
to call the existing NSS functions for doing that.

Also, I think this is a very Linux platform specific request.  
I'm not at all sure that this should be done on other platforms.
It strikes me as a good candidate to be a FF extension for Linux.

Comment 2

11 years ago
It's not platform-specific - I want it for my windows clients at work, where otherwise I have to install my CA in both firefox and thunderbird, for everyone's profile. (Or recompile both every time a new security release comes out, which is far too much work).

It's also useful for apps ported from OpenSSL (eg the Fedora crypto consolidation), which provides SSL_CTX_set_default_verify_paths() to load the default set of CAs (which are easily managed by the administrator, as it's a directory full of PEM files).

The reason I suggested putting it in nss_FindExternalRoot() is because this is always called, and so NSS always trusts the roots it ships with in nssckbi, regardless of whether the app wants them or not, so it seemed reasonable to me to always trust the administrator's CAs as well.


11 years ago
Severity: normal → enhancement
Ever confirmed: true

Comment 3

11 years ago
Bob, doesn't Fedora already have the requested system-wide
certificate store in /etc/pki/nssdb?

Comment 4

11 years ago
Changing to all all platforms since this was requested for all platforms in comment 2 .
OS: Linux → All
Hardware: PC → All
probably relates to bug 449498

Comment 6

4 years ago
For the trusted CAs, there is a solution for this — is a drop-in replacement for, and basically extended a solution like Debian's "update-ca-certificates" so that it actually *works*, as a system-wide way of managing the trusted certificates.

For Windows, the system trust store you want to use is different, so you'd need a different solution. I don't know if something based on nss_capi could be used to replace libnssckbi.dll instead.
You need to log in before you can comment on or make changes to this bug.