8
edits
Changes
Replace a bunch of "trusted" with "built-in" - hopefully less confusing.
# Your certificate database, which is kept in a file on disk that you can alter. It starts out empty. Any root certificates it contains are there because of actions that you have taken, such as downloading or importing roots, or editing trust flags. As a rule, an update to your Mozilla installation of a Mozilla product will not change the contents of this database. (Rarely, it may change the FORMAT of the database, but not the content.)
# Mozilla's trusted built-in root list, kept in a read-only shared library which is one of the files that gets updated whenever your product's executable files get updated.
Both of these stores of certificates may contain certificates and trust flags.
When NSS goes looking for a stored certificate, or trust flags for a stored certificate, it first looks in your certificate database. If it finds the certificate there, it stops. It uses whatever trust flags are there in that database with that certificate.
If it does NOT find the certificate it wants in that database, it looks in Mozilla's trusted built-in root list. If it finds the cert there, then it uses the cert and trust flags it finds there. It does not copy the cert and flags from the built-in root list into your database. It just uses them where and as they are.
When you use your product's certificate manager to edit the trust flags on a certificate, the cert manager first looks for the cert in your database, and if it's there, then that copy gets edited. If it's not there, then cert manager looks for a copy in the trusted cert built-in root list, and if found, copies it and its flags into your data base, and then edits it there. (After all, it cannot edit the copy in Mozilla's the built-in list, because that copy is read-only.) After that, that cert will remain in your database, and each time that the product goes looking for it, it will find it in your database, not in the trusted built-in list.
If you delete a cert in your database that is also in the trusted built-in list, it may appear to be completely gone, until you restart your program, at which point it will reappear, because it never left the trusted built-in root list. However, the trust bits will be turned off for the root.
If you edit the trust on a cert in the root list, taking away (say) one of the 3 trust flags, but leaving the other two, then that cert and the two trust bits will be in your cert DB. After that, if Mozilla removes that cert completely from Mozilla's trust the built-in list, it will remain in your cert DB with those two trust flags. Mozilla's changes to the default trust built-in list never affect your databases. Your databases contain what YOU put there. They're your changes, your responsibility.
In conclusion, the changes Mozilla makes to Mozilla's read-only list of trusted built-in root certs affect only those certs that do not also appear in your cert DB. When you cause copies of any of those certs to appear in your cert DB, then you have taken control of the trust for those copies, and changes made by Mozilla thereafter to those certs will not affect you.
= How To Restore Default Root Certificate Settings =
