cert9.db has only few certificates
AFAIK, Firefox does not use a system wide certificate store (Or does it on Ubuntu?), but maintains its own one in a file cert9.db within every Firefox profile directory. The file can be inspected using the certutil tool from the libnss3-tools package, but that command shows fewer certificates than one can see in the Firefox GUI.
Here's what I do:
1. Start Firefox by calling
$ firefox -profilemanager
create a new profile within the GUI and start Firefox using the newly created profile.
2. Within Firefox go to
Preferences
=> Privacy & Security
=> Certificates
=> View Certificates
=> Authorities
to see a full list of certificate names.
3. Close Firefox.
4. Look at the new profile's certificate store on the shell:
$ certutil -L -d sql:$HOME/
Certificate Nickname Trust Attributes
DigiCert SHA2 Secure Server CA ,,
Only one certificate is shown. After browsing some sites, the list of shown certificates becomes longer.
Why is that? And how can one retrieve a full list of CA and/or server certificates trusted by Firefox on the shell?
TIA!
Thees
system:
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.3 LTS
Release: 18.04
Codename: bionic
$ apt-cache policy firefox
firefox:
Installed: 70.0.1+
$ apt-cache policy libnss3-tools
libnss3-tools:
Installed: 2:3.35-2ubuntu2.3
Question information
- Language:
- English Edit question
- Status:
- Answered
- For:
- Ubuntu firefox Edit question
- Assignee:
- No assignee Edit question
- Last query:
- 2019-11-18
- Last reply:
- 2019-11-19
Thees Flatow (fan81) said : | #2 |
Thank you! But I have hard time seeing how a list of Ubuntu system certificates helps me assessing Firefox trust. Can you please elaborate?
Do you mean, in contrast to other platforms, Firefox on Ubuntu makes use of system certificates, by default?
In what way does that list of certificates differ from the list of certificates maintained by Mozilla?
Why is file cert9.db populated with certificates as time goes by?
Thees Flatow (fan81) said : | #3 |
Now seeing, the linked certificates /are/ in fact the Mozilla ones. OK.
According to https:/
It's a SQLlite database to manage certificates for the individual user in that profile. Users can have multiple Firefox profiles. The link I gave are system wide certs but can be updated manually to affect all users in all profiles
Can you help with this problem?
Provide an answer of your own, or ask Thees Flatow for more information if necessary.