cert9.db has only few certificates

Asked by Thees Flatow on 2019-11-18

AFAIK, Firefox does not use a system wide certificate store (Or does it on Ubuntu?), but maintains its own one in a file cert9.db within every Firefox profile directory. The file can be inspected using the certutil tool from the libnss3-tools package, but that command shows fewer certificates than one can see in the Firefox GUI.

Here's what I do:

1. Start Firefox by calling

    $ firefox -profilemanager

create a new profile within the GUI and start Firefox using the newly created profile.

2. Within Firefox go to

   Preferences
     => Privacy & Security
       => Certificates
         => View Certificates
           => Authorities

   to see a full list of certificate names.

3. Close Firefox.

4. Look at the new profile's certificate store on the shell:

    $ certutil -L -d sql:$HOME/.mozilla/firefox/<profile>/

    Certificate Nickname Trust Attributes
                                                                 SSL,S/MIME,JAR/XPI

    DigiCert SHA2 Secure Server CA ,,

Only one certificate is shown. After browsing some sites, the list of shown certificates becomes longer.

Why is that? And how can one retrieve a full list of CA and/or server certificates trusted by Firefox on the shell?

TIA!
Thees

system:

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.3 LTS
Release: 18.04
Codename: bionic

$ apt-cache policy firefox
firefox:
  Installed: 70.0.1+build1-0ubuntu0.18.04.1

$ apt-cache policy libnss3-tools
libnss3-tools:
  Installed: 2:3.35-2ubuntu2.3

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu firefox Edit question
Assignee:
No assignee Edit question
Last query:
2019-11-18
Last reply:
2019-11-19
Thees Flatow (fan81) said : #2

Thank you! But I have hard time seeing how a list of Ubuntu system certificates helps me assessing Firefox trust. Can you please elaborate?

Do you mean, in contrast to other platforms, Firefox on Ubuntu makes use of system certificates, by default?
In what way does that list of certificates differ from the list of certificates maintained by Mozilla?
Why is file cert9.db populated with certificates as time goes by?

Thees Flatow (fan81) said : #3

Now seeing, the linked certificates /are/ in fact the Mozilla ones. OK.

According to https://wiki.mozilla.org/CA/AddRootToFirefox "real diehard, you can use certutil to update the Firefox certificate databases from the command line". Since that cert9.db file still exist on Ubuntu Firefox, it seems I cannot rely on information from the ca-certificates package/directory only. Can anyone shed some light on what role the cert9.db file from a Firefox profile plays on Ubuntu?

It's a SQLlite database to manage certificates for the individual user in that profile. Users can have multiple Firefox profiles. The link I gave are system wide certs but can be updated manually to affect all users in all profiles

Can you help with this problem?

Provide an answer of your own, or ask Thees Flatow for more information if necessary.

To post a message you must log in.