Re: Manually editing trusted root CA list in Thunderbird and Firefox
- From: Craig White <craigwhite@xxxxxxxxxxx>
- Date: Sat, 17 Sep 2011 03:24:25 -0700
On Sat, 2011-09-17 at 08:52 +0200, Christoph A. wrote:
-----BEGIN PGP SIGNED MESSAGE---------
Hash: SHA512
Hi,
I'd like to remove certain root certificates from my trusted list in
Firefox but any changes I make are not permanent.
Is there a way to have per-user trusted root lists instead of a system
wide list? I suppose manual changes are not effective because the list
is managed via the package ca-certificates.
I'd even like to go so far to have separate root ca lists for Firefox
and Thunderbird because for Thunderbird I only need a handful of CAs.
I recently developed a whole methodology of being my own CA using a
series of shell scripts which has taught me quite a bit on the subject
but I've not actually made much effort to uncover all of the details
that comprise the user level certificate stores employed by mozilla
software but the rest of this e-mail summarizes my current level of
understanding. Also, I have been using Ubuntu server these days because
of the terrible lag in RHEL releases exacerbated by the pathetically
slow CentOS re-spins. Ubuntu is decidedly different w/r/t root
certificate store management (other than the Mozilla internally managed
stuff).
I believe that as part of your login/usage of Firefox & Thunderbird, a
profile is created in ~/.mozilla (FF) and ~/.thunderbird (TB) and within
each of your profiles is a file cert8.db file which is a personalized
version of the certificate store relevant only to your profile. This is
what you are maintaining when you 'manage' certificates within FF/TB
Security settings.
As for permanence, I think any time you update FF or TB, it may update
the personal certificate store that your profile(s) maintain but
otherwise should remain untouched (just guessing here...never actually
studied it).
ca-certificates is actually about the root certificate store for the OS
and is not used at all by FF/TB but other software is almost certain to
use it.
Mozilla (actually Netscape) was pretty much the driver of early
development of technologies such as trusted certificates and things like
LDAP (note the similarity of object references such as CN, etc.) and
thus all Mozilla software always maintained its own root certificate
store rather than interface with the root certificate store that the OS
provides.
Craig
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
- Follow-Ups:
- How to permanently delete root CAs from mozilla products?
- From: Christoph A.
- How to permanently delete root CAs from mozilla products?
- References:
- Manually editing trusted root CA list in Thunderbird and Firefox
- From: Christoph A.
- Manually editing trusted root CA list in Thunderbird and Firefox
- Prev by Date: Re: davfs2 - Problem
- Next by Date: Re: Setting Command line to 80 x 25 ascii mode
- Previous by thread: Manually editing trusted root CA list in Thunderbird and Firefox
- Next by thread: How to permanently delete root CAs from mozilla products?
- Index(es):
Relevant Pages
|
