Changes

CA/Changing Trust Settings

5,113 bytes removed, 10:13, 5 May 2017

Cleanup

~~= How To Override Default Root Certificate Settings =~~This page describes how to change the default root certificate trust settings in Mozilla products, including Firefox and Thunderbird.

~~This~~ If you are seeing "Your connection is not secure" errors and you don't know why, visit [https://support.mozilla.org/en-US/kb/what-does-your-connection-is-not-secure-mean this support page ~~describes how to override the default root certificate settings in Mozilla products, including Firefox and Thunderbird~~].

~~See~~ Some browsers only display the ~~[[CA:Root_Change_Process|Root Change Process]] if~~ root certificates that the user has actually used, and dynamically download new ones on demand. However, Mozilla believes it is important for users to know the root certificates that could be used, so the full set of certificates is always shown. This also allows you ~~are looking~~ to edit the trust bits for ~~instructions for changing default~~ any root certificates ~~in Mozilla products~~that you do not want to use.

When distributing binary and source code versions of Firefox, Thunderbird, and other Mozilla-related software products, Mozilla may include with such software a default set of X.509v3 certificates for various [[CA:FAQ#What_are_CAs.3F | Certification Authorities (CAs)]]. The certificates included by default have their "trust bits" set for various purposes, so that the software in question can use the CA certificates to verify certificates for SSL servers, S/MIME email users, and digitally-signed code objects without having to ask users for further permission or information.== Important Warnings ==

~~CAs apply to have their root certificates [http://www.mozilla.org/projects/~~Following instructions on this page may negatively affect your securityand/certs/included/ included by default in Mozilla products] by following the [http://www.mozilla.org/projects/security/certs/policy/ Mozilla CA Certificate Policy] and applying for inclusion as per [[CA:How_to_apply|CA:How_to_apply]]or your browsing experience.

~~Some browsers only display~~ If you turn off the ~~root certificates that the user has actually used. Even though the user only sees a small number~~ websites trust bit of ~~root certificates, the browser actually has a larger number of root certificates that are implicitly trusted. The moment the user browses to a website whose SSL cert chains up to~~ a commonly used root certificate ~~that~~ , you may get an "Your connection is ~~in the browser's trusted list, the root will~~ not secure" error when you navigate to one or more popular websites. Bypassing such errors can be ~~imported and then be visible~~a security risk unless you know what you are doing. Therefore~~, even though the root cert was not visible to the user before~~, ~~it was still already implicitly trusted by the browser. Mozilla believes~~ it is ~~important for users to know the root certificates~~ strongly recommended that ~~could be used, so the full set of default certificates is always shown. Since~~ you ~~know the list of~~ '''note which root ~~certificates that could be used if~~ certificate you ~~browsed to a website whose SSL certificate chained up to them~~modify''', so that you can ~~edit~~ turn the trust ~~bits for~~ bit back on if the ~~root certificates that you do not want to use~~change negatively impacts your browsing experience.

~~Users of Mozilla products may override the default root certificate settings by either deleting the root certificate or by changing~~ If you change the trust ~~bit settings~~ bits of a root certificate~~. The sections below describe how~~ or add or delete roots, that change will be will '''not''' be affected by upgrading to ~~make these changes, and how~~ newer versions of the software ~~responds to such changes~~. It can only be changed again by you.

Deleting a root certificate that is in the default root store is equivalent to turning off all of the trust bits for that root. Therefore, '''~~Important:~~even though the root certificate will re-appear in the Certificate Manager''' If , it will be treated as though you ~~change~~ changed the trust bits of a that root certificate~~, that change will be permanent (can only be changed again by you) and will not be affected by upgrading~~ to ~~newer versions of the software~~turn them all off.

'''Important:''' Deleting a root certificate that is in the default root store is equivalent to turning off all of the trust bits for that root. Therefore, even though the root certificate will re-appear in the Certificate Manager, it will be treated as though you changed the trust bits of that root certificate to turn them all off. ~~== Untrusted Connection Error Messages =~~=When you visit a website whose web address starts with https, your communication with the site is encrypted to help ensure your privacy. Before starting the encrypted communication, the website will present Firefox with a [[CA:FAQ#What_are_certificates.3F | certificate]] to identify itself. The certificate helps Firefox determine whether the site you're visiting is actually the site that it claims to be. If there is a problem with the certificate, you will see the [https://support.mozilla.org/en-US/kb/connection-untrusted-error-message This Connection Is Untrusted] alert page. * If you are seeing the untrusted connection error message, then start here: https://support.mozilla.org/en-US/kb/connection-untrusted-error-message =~~= Importing a~~ Trusting an Additional Root Certificate == Root certificates may be imported and their "trust bits" set for various purposes, so that the software in question can use the CA certificates to verify certificates for SSL servers, S/MIME email users, and digitally-signed code objects without having to ask users for further permission or information.

The following describes how to manually import a root certificate into your installation of Firefox and other Mozilla products.

~~'''Important:''' This change will be permanent, such that it can only be changed again by you. This change will not be affected by upgrading to newer versions of Mozilla software.~~

[[Firefox]]

# Close and restart SeaMonkey

== Changing Root Certificate Trust ~~Bit~~ Settings == Root certificates that are included by default have their "trust bits" set for various purposes, so that the software in question can use the CA certificates to verify certificates for SSL servers, S/MIME email users, and digitally-signed code objects without having to ask users for further permission or information.

The following describes how to change ~~these~~ the trust settings for root certificates in your installation of Firefox and other Mozilla products. ~~'''Important:''' This change will be permanent, such that it can only be changed again by you. This change will not be affected by upgrading to newer versions of Mozilla software.~~ '''Caution:''' If you turn off the websites trust bit of a commonly used root certificate, you may get an "Untrusted Connection" error when you navigate to a website that you regularly use. Therefore, it is strongly recommended that you note which root certificate you modify, so that you can turn the trust bit back on if the change negatively impacts your browsing experience.

[[Firefox]]

# Close the '''Options/Preferences''' window

# Close and restart Firefox

[[Thunderbird]]

# Close the '''Options/Preferences''' window

# Close and restart Thunderbird

[[SeaMonkey]]

# Close and restart SeaMonkey

== Deleting a Root Certificate == When distributing binary and source code versions of Firefox, Thunderbird, and other Mozilla-related software products the Mozilla Foundation and its wholly-owned subsidiary the Mozilla Corporation include with such software a default set of X.509v3 certificates for various Certification Authorities (CAs).

The following describes how to delete a root certificate from your current instance of Firefox and Thunderbird.

'''Important:''' Deleting a root certificate that is in the default root store is equivalent to turning off all of the trust bits for that root. Therefore, even though the root certificate will re-appear in the Certificate Manager, it will be treated as though you changed the trust bits of that root certificate to turn them all off.

'''Important:''' This change will have a permanent affect, such that the trust bits for the root certificate can only be changed again by you. This change will not be affected by upgrading to newer versions of Mozilla software.

~~'''Caution:''' It is strongly recommended that you note which root certificate you modify, so that you can turn the trust bits back on if the change negatively impacts your browsing experience.~~

[[Firefox]]

# Click on '''OK''' in the '''Certificate Manager'''

# Close the '''Options/Preferences''' window

[[Thunderbird]]

# Click on '''OK''' in the '''Certificate Manager'''

# Close the '''Options/Preferences''' window

[[SeaMonkey]]

# Close the '''Preferences''' window

== Restoring the Default Trust Settings for All Root Certificates == Read [https://support.mozilla.org/en-US/kb/what-does-your-connection-is-not-secure-mean this Support article] on how to delete the <tt>cert8.db</tt> file. == Restoring the Default Trust Settings for a Single Root Certificate == If you want the cert to again respect any updates Mozilla makes to the default root store, this is extremely difficult. It is far easier to reset the entire store using the instructions above. == Deeply Geeky Certificate Database Information == === How Mozilla Products Respond to User Changes of Root Certificates ===

The following explains how Mozilla products behave when users change or delete root certificates.

If you delete a cert in your database that is also in the built-in list, it may appear to be completely gone, until you restart your program, at which point it will reappear, because it never left the built-in root list. However, the trust bits will be turned off for the root.

If you edit the trust on a cert in the root list, taking away (say) one of the 3 2 trust flags, but leaving the other ~~two~~one, then that cert and the ~~two~~ single trust ~~bits~~ bit will be in your cert DB. After that, if Mozilla removes that cert completely from the built-in list, it will remain in your cert DB with ~~those two~~ the remaining trust ~~flags~~flag. Mozilla's changes to the built-in list never affect your databases. Your databases contain what YOU put there. They're your changes, your responsibility.

In conclusion, the changes Mozilla makes to Mozilla's read-only list of built-in root certs affect only those certs that do not also appear in your cert DB. When you cause copies of any of those certs to appear in your cert DB, then you have taken control of the trust for those copies, and changes made by Mozilla thereafter to those certs will not affect you.

= ~~How To Restore Default Root Certificate Settings =~~ ~~The changes that you make to security certificate settings are stored in a profile file named cert8.db.~~ ~~Relevant Firefox Help articles:~~* [http://support.mozilla.com/en-US/kb/profiles About Profiles]**Security certificate settings: The cert8.db file stores all your security certificate settings and any SSL certificates you have imported into Firefox.* [http://support.mozilla.com/en-US/kb/Backing%20up%20your%20information Backing Up Your Profile Information]* [http://support.mozilla.com/en-US/kb/Recovering%20important%20data%20from%20an%20old%20profile Recovering Your Profile Information] ~~To restore the default Root Certificate Settings:~~ ~~# Locate the cert8.db file as described in [http://support.mozilla.com/en-US/kb/Backing%20up%20your%20information Backing Up Your Profile Information.]~~ ~~# Shut down Firefox# Move the cert8.db file into a different folder/directory.# Restart Firefox~~ Note: on Mac OS X Mountain Lion the Library folder is hidden. To find it, go into Finder, click on the "Go" pull-down menu while holding the Option key and select "Library." From Terminal the following command will make the hidden Library folder visible: chflags nohidden ~/Library. To hide the Library folder again type the following command: chflags hidden ~/Library == Restoring the Default Trust Bits for a Single Built-In Root Certificate ===

If you have edited the trust bits of a built-in root certificate, causing it to be copied to your personal database, you may wish to delete the copy from your database so that the default trust bits are again used. (Simply editing the trust bits to match the defaults would not give you the benefit of any updates Mozilla may later make to the defaults.) There is currently no UI to do this ({{bug|558222}}), but you can use the NSS <code>certutil</code> command-line tool. <code>certutil</code> does not ship with Mozilla products, and [https://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/94d05b904280b6ed NSS itself does not have official binary releases at this time], but you can build <code>certutil</code> from source, or your OS distribution may include it (Fedora: <code>nss-tools</code>, Debian/Ubuntu: <code>libnss3-tools</code>).

</ol>

=== Listing All Non-Default Root Certificate Settings ===

There is currently no UI to list all built-in root certificates for which you have overridden the default trust settings ({{bug|545498}}). However, you can use the <code>certutil</code> tool described in the previous section to list all the certificates in your personal database, which includes built-in root certificates whose trust you have changed along with added root certificates and many other kinds of certificates.

Gerv

Accountapprovers, antispam, confirm, emeritus

4,925

edits

Changes

CA/Changing Trust Settings

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

How to Contribute

MozillaWiki

Around Mozilla

Tools