Ability to display fingerprint of CA certificates



Core Graveyard
Security: UI
9 years ago
a year ago


(Reporter: Johannes Bauer, Unassigned)


Firefox Tracking Flags

(Not tracked)


(Whiteboard: [psm-cert-manager])



9 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; de; rv: Gecko/2008122413 Gentoo Firefox/3.0.5
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; de; rv: Gecko/2008122413 Gentoo Firefox/3.0.5

When a user creates his own certificate hierarchy there is somewhere a self-signed root certificate which signs multiple server certificates (i.e. a webserver certificate). The user then memorizes the Root CAs fingerprint and should not have to care about all the fingerprints of signed server certificates. When going to a webserver, it would be very convenient to see the SHA1 and MD5 fingerprint of *all* certificates in the chain, not only the the fingerprint of the last certificate (i.e. the server certificate). That way if the user memorized the root CAs fingerprint, the validity of the certificate that was signed would also be given.

Reproducible: Always

Steps to Reproduce:
I don't think we want to display fingerprints from the entire chain in the general page, if only because chains can be long and that would take a surprising amount of space for a reasonably marginal case.  Nevertheless, I can agree that it should be possible to get this information *somehow* and I can't currently find a good way to do that.

Also moving to PSM for Kai's more enlightened commentary.
Assignee: nobody → kaie
Component: Security → Security: UI
Ever confirmed: true
Product: Firefox → Core
QA Contact: firefox → ui

Comment 2

9 years ago
Yes, I also thought of displaying that information in the "Details" tab.


9 years ago
Blocks: 474921


9 years ago
No longer blocks: 474921

Comment 3

9 years ago

usually the CA's fingerprint is only used once.

User's should download the CA, a prompt will appear that asks "do you want to import", if yes, the user should check the checkboxes "e.g. I trust this for web sites".

At this import time, the user has a change to use "view cert" for this new CA, and this includes the ability to display the fingerprint.

Your example confuses me.
Maybe you did not know about "import and trus CA" approach?

If you know about it:
Why do you want avoid to import the CA, but manually compare the CA fingerprint each time you visit a server?

Comment 4

9 years ago
Hi Kai,

I am aware of the solution of importing CA's certificates permanently - this is what I already do. To explain why the dispaly of the CA certificate hash would be useful, consider this example (which is *exactly* what I'm doing and what my problem is):

I have a own CA hierarchy, the root certificate being valid for 10 years, quite secure (non-networked computer, etc.). This CA hierarcy issues certificates, among are web-server certificates. Those typically have a much lower validity period from 1-3 years.

On my HTTPS webservers there is always a link to the root certificate. When using a new system of mine, I go to the URL and import the root certificate in the manner you described.

However, on systems which I do not own (at a friend's, for example) or on browsers which do not support root CA import as nicely as Firefox does, it would be nice to just verify the session integrity once. For this purpose, I could memorize the web servers's fingerprint - but this one changes quite often. If the CA's fingerprint would be displayed, I could just verify that one and would not have to care about the (frequently changing) web server certificate. As I know my CA certificate SHA-1 hash by heart, this would be a nifty feature for me :-)

Kind regards,

Comment 5

9 years ago
This is a very edge case scenario, I won't work on this feature.

If someone wants to contribute a patch, I think the right approach is:
Enhance the details tab, and add a fingerprint section.
Assignee: kaie → nobody

Comment 6

8 years ago
I was going to fill this same bug :)

There's no need to "memorize the fingerprint". Just consider that the CA file you need to trust is in a https server. This server certificate is signed by the same CA you need to import. Catch 22.
At this point assume you can call them and ask "Is certificate xxyyzz yours?"

You have the web server certificate hash shown directly but the question that should be really made (even though certifying any of them would verifiy the other) is if their root CA cert is X, not if their webserver at foo.example.com has certificate Y.

Or you could want to check if foo.example.com is signed by the same custom CA as bar.example.com (which you trust).

There are ways to overcome this limitation, like comparing the modulus and exponent, or exporting and playing with the file using openssl. But they are inconvenient.

I think Firefox used to provide a fingerprint in the details tab but it obviously doesn't now.


8 years ago
Whiteboard: [psm-cert-manager]
Last Resolved: a year ago
Resolution: --- → WONTFIX


a year ago
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.