Confirm, administrator
5,526
edits
Changes
→How To Override Default Root Certificate Settings
When distributing binary and source code versions of Firefox, Thunderbird, and other Mozilla-related software products the Mozilla Foundation and its wholly-owned subsidiary the Mozilla Corporation include with such software a default set of X.509v3 certificates for various Certification Authorities (CAs). The certificates included by default have their "trust bits" set for various purposes, so that the software in question can use the CA certificates to verify certificates for SSL servers, S/MIME email users, and digitally-signed code objects without having to ask users for further permission or information.
CAs apply to have their root certificates [http://www.mozilla.org/projects/security/certs/included/ included by default in Mozilla products ] by following the [http://www.mozilla.org/projects/security/certs/policy/ Mozilla CA Certificate Policy] and applying for inclusion as per [[CA:How_to_apply|CA:How_to_apply]]. Some browsers only display the root certificates that the user has actually used. Even though the user only sees a small number of root certificates, the browser actually has a larger number of root certificates that are implicitly trusted. The moment the user browses to a website whose SSL cert chains up to a root certificate that is in the browser's trusted list, the root will be imported and then be visible. Therefore, even though the root cert was not visible to the user before, it was still already implicitly trusted by the browser. Mozilla believes it is important for users to know the root certificates that could be used, so the full set of default certificates is always shown. Since you know the list of root certificates that could be used if you browsed to a website whose SSL cert chained up to them, you can edit the trust bits for the root certs you do not want to ever trust, as described in this page.
Users of Mozilla products may override the default root certificate settings by either deleting the root certificate or by changing the trust bit settings of a root certificate. The sections below describe how to make these changes, and how the software responds to such changes.
