We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

Tìm kiếm hỗ trợ

Tránh các lừa đảo về hỗ trợ. Chúng tôi sẽ không bao giờ yêu cầu bạn gọi hoặc nhắn tin đến số điện thoại hoặc chia sẻ thông tin cá nhân. Vui lòng báo cáo hoạt động đáng ngờ bằng cách sử dụng tùy chọn "Báo cáo lạm dụng".

Tìm hiểu thêm

Where is the default certificate store?

more options

I want to add CA certs to Firefox for all users, including new users. Where is the default cert / trust store for Firefox?

I want to add CA certs to Firefox for all users, including new users. Where is the default cert / trust store for Firefox?

Tất cả các câu trả lời (10)

more options

Firefox uses a file named cert8.db in the profile folder.

About profile folder files: Profiles - Where Firefox stores your bookmarks, passwords and other user data.

There is a tool you can use to programmatically add files to a cert8.db file but I've never tried it myself, so you probably would want to search around for tips from experienced users:

https://developer.mozilla.org/docs/Mozilla/Projects/NSS/Reference/NSS_tools_:_certutil

more options

Thanks, but I know where my profile is. I want to know where the certificate store in it comes from. If I edit mine, I'm only changing my own settings. If I look for end edit all existing profiles, I'm only changing existing profiles. I want a brand-new user who logs in to get the certificates I want them to have.

more options

hi, for some options to deploy this, please refer to https://wiki.mozilla.org/CA:AddRootToFirefox

more options

Saw that. Doesn't help. Nothing in that article exposes where the store is, just mentions different tools that, presumably, "just know". The Javascript section comes the closest, but something like "@mozilla.org/security/x509certdb;1" is not a filesystem path... something tells Javascript what "@mozilla.org" is, but it sure doesn't tell me!

more options

And on top of that, the link for CCK2 is bad.

more options
more options

Neither of those pages tell me where the default certificate store is.

more options

I found these in a search, not sure if you already found them:

more options

Thanks. So... Mozilla has gone out of their way to hide and obfuscate this as much as possible. Wonderful. Sometimes it seems like developers forget about people using their software and just want to show off how clever they can be. And I've never understood why I should trust Chinese, Russian, Turkish, etc. CAs just because Google or Mozilla or Apple or Microsoft say I should.

I'm going to corner the Firefox folks at the next ScaLE and try to pry some answers or a commitment to change out of them :-)

more options

While it might have been done this way just to make your life difficult, it's also possible that using a compiled file was to reduce the potential for tampering by bad actors.

On the larger question of what CAs to (dis)trust, there may be a mailing list for that: https://lists.mozilla.org/listinfo