Firefox: How to audit & reset the list of trusted servers/CAs
Environment
- Red Hat Enterprise Linux 6
- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux 8
- Red Hat Enterprise Linux 9
Issue
- How can I check or reset the trusted sites/certificates in Mozilla Firefox?
Resolution
System-wide CA database
- Firefox pulls CA certs from the system-wide database. Secure that first.
How to reset the list of trusted CA certificates in RHEL 6 and later?
Intro to Firefox per-user configuration
-
There is a per-user overlay which allows ...
- explicit import of new CAs
- site-specific overrides (i.e., trusting a site without importing a CA)
- explicit trust-modification of system-provided CAs (e.g., effectively deleting a top-level CA)
- automatic caching of intermediate CAs
-
Firefox provides an interface to view and modify the per-user certificate overlay under:
- Preferences → Advanced → Certificates → View Certificates
Auditing Firefox per-user configuration from the command-line
-
Close all instances of Firefox for relevant user
This is necessary because changes made on the command-line can be reverted whenfirefox
shuts down -
Reset/edit per-user overrides file at
~/.mozilla/firefox/*.default/cert_override.txt
This is where site-specific exceptions are stored-
Note that by default, this file doesn't exist or is empty
Therefore, it's fine to simply delete itrm ~/.mozilla/firefox/*.default/cert_override.txt
-
Alternatively, inspect it with the following command
awk '/^[^#]/ {print $1}' ~/.mozilla/firefox/*.default/cert_override.txt
-
-
Reset/edit per-user NSS database at
~/.mozilla/firefox/*.default/
Modifications to system CA certs (e.g., trust changes) are stored here, as are cached [intermediate] CA certs and site-certs (to be used with the overrides file above)-
Note that by default this database is empty
It's fine to simply delete itrm ~/.mozilla/firefox/*.default/cert8.db
-
Alternatively, inspect it first with the following command
certutil -L -d ~/.mozilla/firefox/*.default/
-
Note the Trust Attributes column in the output
-
Most certs will have only two commas in the trust column
This means the cert is useless without a proper chain of trust up to a trusted CA; the cert only exists in the db because Firefox cached it -
Any certs with characters in the trust column warrant inspection
See thecertutil
man page (search for-t trustargs
) for details on what the flags mean
-
-
Inspect a specific cert by appending
-n "NICKNAME"
to the end of thecertutil
command (make sure to include the full nickname in quotes to protect against shell word-expansion)certutil -L -d ~/.mozilla/firefox/*.default/ -n "corp.example.com" certutil -L -d ~/.mozilla/firefox/*.default/ -n "Fake Untrustable CA"
-
Delete a specific cert by changing
-L
to-D
certutil -D -d ~/.mozilla/firefox/*.default/ -n "corp.example.com" certutil -D -d ~/.mozilla/firefox/*.default/ -n "Fake Untrustable CA"
-
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments