How To Override Default Root Certificate Settings

This page describes how to override the default root certificate settings in Mozilla products, including Firefox and Thunderbird.

See the Root Change Process if you are looking for instructions for changing default root certificates in Mozilla products.

When distributing binary and source code versions of Firefox, Thunderbird, and other Mozilla-related software products, Mozilla may include with such software a default set of X.509v3 certificates for various Certification Authorities (CAs). The certificates included by default have their "trust bits" set for various purposes, so that the software in question can use the CA certificates to verify certificates for SSL servers, S/MIME email users, and digitally-signed code objects without having to ask users for further permission or information.

CAs apply to have their root certificates included by default in Mozilla products by following the Mozilla CA Certificate Policy and applying for inclusion as per CA:How_to_apply.

Some browsers only display the root certificates that the user has actually used. Even though the user only sees a small number of root certificates, the browser actually has a larger number of root certificates that are implicitly trusted. The moment the user browses to a website whose SSL cert chains up to a root certificate that is in the browser's trusted list, the root will be imported and then be visible. Therefore, even though the root cert was not visible to the user before, it was still already implicitly trusted by the browser. Mozilla believes it is important for users to know the root certificates that could be used, so the full set of default certificates is always shown. Since you know the list of root certificates that could be used if you browsed to a website whose SSL certificate chained up to them, you can edit the trust bits for the root certificates that you do not want to use.

Users of Mozilla products may override the default root certificate settings by either deleting the root certificate or by changing the trust bit settings of a root certificate. The sections below describe how to make these changes, and how the software responds to such changes.

Important: If you change the trust bits of a root certificate, that change will be permanent (can only be changed again by you) and will not be affected by upgrading to newer versions of the software.

Important: Deleting a root certificate that is in the default root store is equivalent to turning off all of the trust bits for that root. Therefore, even though the root certificate will re-appear in the Certificate Manager, it will be treated as though you changed the trust bits of that root certificate to turn them all off.

Untrusted Connection Error Messages

When you visit a website whose web address starts with https, your communication with the site is encrypted to help ensure your privacy. Before starting the encrypted communication, the website will present Firefox with a certificate to identify itself. The certificate helps Firefox determine whether the site you're visiting is actually the site that it claims to be. If there is a problem with the certificate, you will see the This Connection Is Untrusted alert page.

• If you are seeing the untrusted connection error message, then start here: https://support.mozilla.org/en-US/kb/connection-untrusted-error-message

Importing a Root Certificate

Root certificates may be imported and their "trust bits" set for various purposes, so that the software in question can use the CA certificates to verify certificates for SSL servers, S/MIME email users, and digitally-signed code objects without having to ask users for further permission or information.

The following describes how to manually import a root certificate into your installation of Firefox and other Mozilla products.

Important: This change will be permanent, such that it can only be changed again by you. This change will not be affected by upgrading to newer versions of Mozilla software.

Firefox

1. Open the Options/Preferences window:
   • On Windows: Pull down the Tools menu and select Options…
   • On Mac: Pull down the Firefox menu and select Preferences...
   • On Linux: Pull down the Edit menu and select Preferences
2. Select Advanced
3. Select Certificates
4. Click on View Certificates to open the Certificate Manager
5. Select Authorities
   • Note: The root certificates with "Builtin Object Token" as the Security Device are the root certificates that are included by default in Mozilla products.
6. Click on Import...
7. Select the file of the Root Certificate that you want to import
8. Select/Unselect the check-boxes indicating the trust bits, then click on OK
9. Click on OK in the Certificate Manager
10. Close the Options/Preferences window

Thunderbird

1. Open the Options/Preferences window:
   • On Windows: Pull down the Tools menu and select Options…
   • On Mac: Pull down the Thunderbird menu and select Preferences...
   • On Linux: Pull down the Edit menu and select Preferences
2. Select Advanced
3. Select Certificates
4. Click on View Certificates to open the Certificate Manager
5. Select Authorities
   • Note: The root certificates with "Builtin Object Token" as the Security Device are the root certificates that are included by default in Mozilla products.
6. Click on Import...
7. Select the file of the Root Certificate that you want to import
8. Select/Unselect the check-boxes indicating the trust bits, then click on OK
9. Click on OK in the Certificate Manager
10. Close the Options/Preferences window

SeaMonkey

1. Open the Preferences window:
   • On Windows: Pull down the Edit menu and select Preferences
   • On Mac: Pull down the SeaMonkey menu and select Preferences...
   • On Linux: Pull down the Edit menu and select Preferences
2. Select Privacy & Security
3. Select Certificates
4. Click on Manage Certificates to open the Certificate Manager
5. Select Authorities
   • Note: The root certificates with "Builtin Object Token" as the Security Device are the root certificates that are included by default in Mozilla products.
6. Click on Import...
7. Select the file of the Root Certificate that you want to import
8. Select/Unselect the check-boxes indicating the trust bits, then click on OK
9. Click on OK in the Certificate Manager
10. Close the Preferences window
11. Close and restart SeaMonkey

Changing Root Certificate Trust Bit Settings

Root certificates that are included by default have their "trust bits" set for various purposes, so that the software in question can use the CA certificates to verify certificates for SSL servers, S/MIME email users, and digitally-signed code objects without having to ask users for further permission or information.

The following describes how to change these settings in your installation of Firefox and other Mozilla products.

Important: This change will be permanent, such that it can only be changed again by you. This change will not be affected by upgrading to newer versions of Mozilla software.

Caution: If you turn off the websites trust bit of a commonly used root certificate, you may get an "Untrusted Connection" error when you navigate to a website that you regularly use. Therefore, it is strongly recommended that you note which root certificate you modify, so that you can turn the trust bit back on if the change negatively impacts your browsing experience.

Firefox

1. Open the Options/Preferences window:
   • On Windows: Pull down the Tools menu and select Options…
   • On Mac: Pull down the Firefox menu and select Preferences...
   • On Linux: Pull down the Edit menu and select Preferences
2. Select Advanced
3. Select Certificates
4. Click on View Certificates to open the Certificate Manager
5. Select Authorities
   • Note: The root certificates with "Builtin Object Token" as the Security Device are the root certificates that are included by default in Mozilla products.
6. Select the Root Certificate that you want to change
7. Click on Edit Trust...
8. Select/Unselect the check-boxes indicating the trust bits, then click on OK
9. Click on OK in the Certificate Manager
10. Close the Options/Preferences window
11. Close and restart Firefox

Thunderbird

1. Open the Options/Preferences window:
   • On Windows: Pull down the Tools menu and select Options…
   • On Mac: Pull down the Thunderbird menu and select Preferences...
   • On Linux: Pull down the Edit menu and select Preferences
2. Select Advanced
3. Select Certificates
4. Click on View Certificates to open the Certificate Manager
5. Select Authorities
   • Note: The root certificates with "Builtin Object Token" as the Security Device are the root certificates that are included by default in Mozilla products.
6. Select the Root Certificate that you want to change
7. Click on Edit Trust...
8. Select/Unselect the check-boxes indicating the trust bits, then click on OK
9. Click on OK in the Certificate Manager
10. Close the Options/Preferences window
11. Close and restart Thunderbird

SeaMonkey

1. Open the Preferences window:
   • On Windows: Pull down the Edit menu and select Preferences
   • On Mac: Pull down the SeaMonkey menu and select Preferences...
   • On Linux: Pull down the Edit menu and select Preferences
2. Select Privacy & Security
3. Select Certificates
4. Click on Manage Certificates to open the Certificate Manager
5. Select Authorities
   • Note: The root certificates with "Builtin Object Token" as the Security Device are the root certificates that are included by default in Mozilla products.
6. Select the Root Certificate that you want to change
7. Click on Edit Trust...
8. Select/Unselect the check-boxes indicating the trust bits, then click on OK
9. Click on OK in the Certificate Manager
10. Close the Preferences window
11. Close and restart SeaMonkey

Deleting a Root Certificate

When distributing binary and source code versions of Firefox, Thunderbird, and other Mozilla-related software products the Mozilla Foundation and its wholly-owned subsidiary the Mozilla Corporation include with such software a default set of X.509v3 certificates for various Certification Authorities (CAs).

The following describes how to delete a root certificate from your current instance of Firefox and Thunderbird.

Important: Deleting a root certificate that is in the default root store is equivalent to turning off all of the trust bits for that root. Therefore, even though the root certificate will re-appear in the Certificate Manager, it will be treated as though you changed the trust bits of that root certificate to turn them all off.

Important: This change will have a permanent affect, such that the trust bits for the root certificate can only be changed again by you. This change will not be affected by upgrading to newer versions of Mozilla software.

Caution: It is strongly recommended that you note which root certificate you modify, so that you can turn the trust bits back on if the change negatively impacts your browsing experience.

Firefox

1. Open the Options/Preferences window:
   • On Windows: Pull down the Tools menu and select Options…
   • On Mac: Pull down the Firefox menu and select Preferences...
   • On Linux: Pull down the Edit menu and select Preferences
2. Select Advanced
3. Select Certificates
4. Click on View Certificates to open the Certificate Manager
5. Select Authorities
   • Note: The root certificates with "Builtin Object Token" as the Security Device are the root certificates that are included by default in Mozilla products.
6. Select the Root Certificate that you want to delete
7. Click on Delete...
8. If you are sure you want to delete that root certificate, click on OK
9. Click on OK in the Certificate Manager
10. Close the Options/Preferences window

Thunderbird

1. Open the Options/Preferences window:
   • On Windows: Pull down the Tools menu and select Options…
   • On Mac: Pull down the Thunderbird menu and select Preferences...
   • On Linux: Pull down the Edit menu and select Preferences
2. Select Advanced
3. Select Certificates
4. Click on View Certificates to open the Certificate Manager
5. Select Authorities
   • Note: The root certificates with "Builtin Object Token" as the Security Device are the root certificates that are included by default in Mozilla products.
6. Select the Root Certificate that you want to delete
7. Click on Delete...
8. If you are sure you want to delete that root certificate, click on OK
9. Click on OK in the Certificate Manager
10. Close the Options/Preferences window

SeaMonkey

1. Open the Preferences window:
   • On Windows: Pull down the Edit menu and select Preferences
   • On Mac: Pull down the SeaMonkey menu and select Preferences...
   • On Linux: Pull down the Edit menu and select Preferences
2. Select Privacy & Security
3. Select Certificates
4. Click on Manage Certificates to open the Certificate Manager
5. Select Authorities
   • Note: The root certificates with "Builtin Object Token" as the Security Device are the root certificates that are included by default in Mozilla products.
6. Select the Root Certificate that you want to delete
7. Click on Delete...
8. If you are sure you want to delete that root certificate, click on OK
9. Click on OK in the Certificate Manager
10. Close the Preferences window

How Mozilla Products Respond to User Changes of Root Certificates

The following explains how Mozilla products behave when users change or delete root certificates.

For simplicity, the following assumes the basic and most common configuration, in which you have only the software distributed by Mozilla and do not have any additional PKCS#11 modules (with or without any additional hardware) installed that may be capable of storing additional certificates. The model with them is slightly more complicated than the one described here.

Network Security Services (NSS) is capable of accessing certificates that have been stored in a number of places, all accessible through the PKCS#11 API. The two places of greatest interest are

1. Your certificate database, which is kept in a file on disk that you can alter. It starts out empty. Any root certificates it contains are there because of actions that you have taken, such as downloading or importing roots, or editing trust flags. As a rule, an update to your Mozilla installation of a Mozilla product will not change the contents of this database. (Rarely, it may change the FORMAT of the database, but not the content.)
2. Mozilla's built-in root list, kept in a read-only shared library which is one of the files that gets updated whenever your product's executable files get updated.

Both of these stores of certificates may contain certificates and trust flags.

When NSS goes looking for a stored certificate, or trust flags for a stored certificate, it first looks in your certificate database. If it finds the certificate there, it stops. It uses whatever trust flags are there in that database with that certificate.

If it does NOT find the certificate it wants in that database, it looks in Mozilla's built-in root list. If it finds the cert there, then it uses the cert and trust flags it finds there. It does not copy the cert and flags from the built-in root list into your database. It just uses them where and as they are.

When you use your product's certificate manager to edit the trust flags on a certificate, the cert manager first looks for the cert in your database, and if it's there, then that copy gets edited. If it's not there, then cert manager looks for a copy in the built-in root list, and if found, copies it and its flags into your data base, and then edits it there. (After all, it cannot edit the copy in the built-in list, because that copy is read-only.) After that, that cert will remain in your database, and each time that the product goes looking for it, it will find it in your database, not in the built-in list.

If you delete a cert in your database that is also in the built-in list, it may appear to be completely gone, until you restart your program, at which point it will reappear, because it never left the built-in root list. However, the trust bits will be turned off for the root.

If you edit the trust on a cert in the root list, taking away (say) one of the 3 trust flags, but leaving the other two, then that cert and the two trust bits will be in your cert DB. After that, if Mozilla removes that cert completely from the built-in list, it will remain in your cert DB with those two trust flags. Mozilla's changes to the built-in list never affect your databases. Your databases contain what YOU put there. They're your changes, your responsibility.

In conclusion, the changes Mozilla makes to Mozilla's read-only list of built-in root certs affect only those certs that do not also appear in your cert DB. When you cause copies of any of those certs to appear in your cert DB, then you have taken control of the trust for those copies, and changes made by Mozilla thereafter to those certs will not affect you.

How To Restore Default Root Certificate Settings

The changes that you make to security certificate settings are stored in a profile file named cert8.db.

Relevant Firefox Help articles:

• About Profiles
  • Security certificate settings: The cert8.db file stores all your security certificate settings and any SSL certificates you have imported into Firefox.
• Backing Up Your Profile Information
• Recovering Your Profile Information

To restore the default Root Certificate Settings:

1. Locate the cert8.db file as described in Backing Up Your Profile Information.
2. Shut down Firefox
3. Move the cert8.db file into a different folder/directory.
4. Restart Firefox

Note: on Mac OS X Mountain Lion the Library folder is hidden. To find it, go into Finder, click on the "Go" pull-down menu while holding the Option key and select "Library." From Terminal the following command will make the hidden Library folder visible: chflags nohidden ~/Library. To hide the Library folder again type the following command: chflags hidden ~/Library

Restoring the Default Trust Bits for a Single Built-In Root Certificate

If you have edited the trust bits of a built-in root certificate, causing it to be copied to your personal database, you may wish to delete the copy from your database so that the default trust bits are again used. (Simply editing the trust bits to match the defaults would not give you the benefit of any updates Mozilla may later make to the defaults.) There is currently no UI to do this (bug 558222), but you can use the NSS certutil command-line tool. certutil does not ship with Mozilla products, and NSS itself does not have official binary releases at this time, but you can build certutil from source, or your OS distribution may include it (Fedora: nss-tools, Debian/Ubuntu: libnss3-tools).

To delete a certificate from your personal database:

1. Note the Certificate Name as shown in the Certificate Manager.
2. Locate your profile.
3. Shut down the Mozilla application.
4. Run:

certutil -d PROFILE_DIR -D -n CERT_NAME

substituting the path of your profile directory and the certificate name.
5. Restart the Mozilla application.

Listing All Non-Default Root Certificate Settings

There is currently no UI to list all built-in root certificates for which you have overridden the default trust settings (bug 545498). However, you can use the certutil tool described in the previous section to list all the certificates in your personal database, which includes built-in root certificates whose trust you have changed along with added root certificates and many other kinds of certificates.

Run this command (doing it while the Mozilla application is running is probably unsupported but does not seem to cause problems in practice):

certutil -d PROFILE_DIR -L

Root certificates will have trust fields of c, indicating a disabled trust bit, or CT or C, indicating an enabled trust bit. For example:

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

My Favorite CA                                               CT,c,c
Wiretaps R Us CA                                             c,c,c