| View previous topic :: View next topic |
| Author |
Message |
musv
Advocate
Joined: 01 Dec 2002
Posts: 3337
Location: de
|
 Posted: Sat Jan 27, 2024 10:39 pm Post subject: Firefox doesn't use self-signed CA |
 |
|
Hi,
I'm playing around for the first time with creating a self-signed CA in my home network.
I used this tutorial.
The created CA (crt not pem) I copied according to the Wiki to /usr/local/share/ca-certificates and called | Code: | | update-ca-certificates |
. Then I created a CSR for the administration surface of my router (Fritzbox), signed it and installed it on my router.
I get a secured connection via Opera and Vivaldi. But Firefox doesn't accept the certificate. In
my ca isn't listet. Is there. I can import the CA in the settings. But that's not satisfying. Is there a way Firefox accepts automatically my self-signed certificate from the system cert store (/etc/ssl, /usr/local/share/ca-certificates)? |
|
| Back to top |
|
 |
spica
Apprentice
Joined: 04 Jun 2021
Posts: 287
|
| Posted: Sat Jan 27, 2024 11:37 pm Post subject: Re: Firefox doesn't use self-signed CA |
|
|
| musv wrote: | | Is there a way Firefox accepts automatically my self-signed certificate from the system cert store (/etc/ssl, /usr/local/share/ca-certificates)? |
Firefox runs own certificate storage. Firefox does not look into /etc/ssl |
|
| Back to top |
|
|
Banana
Veteran
Joined: 21 May 2004
Posts: 1392
Location: Germany
|
|
| Back to top |
|
|
flexibeast
Guru
Joined: 04 Apr 2022
Posts: 324
Location: Naarm/Melbourne, Australia
|
| Posted: Sun Jan 28, 2024 8:42 am Post subject: |
|
|
This is not automatic, but a certificate can be imported on the command line by using `certutil` (part of dev-libs/nss) to add it to the relevant SQLite file (should be 'cert9.db'; 'cert8.db' was the old database, using BerkeleyDB format) in the relevant Firefox profile, e.g.:
| Code: | | certutil -d ~/.mozilla/firefox/xxxxxxxx.default/ -A -n cert-nickname -i cert.pem -t "CT,," |
Refer to the certutil(1) man page for details. |
|
| Back to top |
|
|
musv
Advocate
Joined: 01 Dec 2002
Posts: 3337
Location: de
|
| Posted: Sun Jan 28, 2024 9:21 am Post subject: |
|
|
Thanks so far.
Found this thread on askubuntu (3rd answer: policies.json), which lead me to Gentoo-Bugs.
Finally I got it working with:
| /etc/firefox/policies/policies.json: | {
"policies": {
"DisableAppUpdate": true,
"Certificates": {
"ImportEnterpriseRoots": true,
"Install": [
"/usr/local/share/ca-certificates/my-ca.crt"
]
}
}
}
|
With that solution I can live so far. It's better to handle than to touch every profile.
Update: Checked, if I can use a different file name to not to overwrite /usr/lib64/firefox/distribution/policies.json. But that's not working.  |
|
| Back to top |
|
|
flexibeast
Guru
Joined: 04 Apr 2022
Posts: 324
Location: Naarm/Melbourne, Australia
|
|
| Back to top |
|
|
musv
Advocate
Joined: 01 Dec 2002
Posts: 3337
Location: de
|
| Posted: Sun Feb 04, 2024 8:37 am Post subject: |
|
|
Please take care. The line
| Code: | | "DisableAppUpdate": true, |
disables the Auto Update function of Firefox. This is already done in /usr/lib64/firefox/distribution/policies.json by the Gentoo Ebuild:
| /var/db/repos/gentoo/www-client/firefox/firefox-122.0.ebuild: | | newins "${FILESDIR}"/disable-auto-update.policy.json policies.json |
I've put into /etc/firefox/policies.json too, because the profiles.json in /etc/ overwrites the policies.json above. But this line has nothing to do with the CA import. |
|
| Back to top |
|
|
|
Networking & Security
