Account confirmers, Anti-spam team, Bureaucrats, canmove, Confirmed users, Interface administrators, Module owners and peers, smwadministrator, smwcurator, Administrators, MozillaWiki team, Widget editors
8,312
edits
CA/Changing Trust Settings: Difference between revisions
m
Protected "CA/Changing Trust Settings" ([Edit=Allow confirmed users only] (indefinite) [Move=Allow confirmed users only] (indefinite))
(Replace a bunch of "trusted" with "built-in" - hopefully less confusing.) |
m (Protected "CA/Changing Trust Settings" ([Edit=Allow confirmed users only] (indefinite) [Move=Allow confirmed users only] (indefinite))) |
||
| (21 intermediate revisions by 4 users not shown) | |||
| Line 1: | Line 1: | ||
This page describes how to change the default root certificate trust settings in Mozilla products, including Firefox and Thunderbird. | |||
If you are seeing "Your connection is not secure" errors and you don't know why, visit [https://support.mozilla.org/en-US/kb/what-does-your-connection-is-not-secure-mean this support page]. | |||
Some browsers only display the root certificates that the user has actually used, and dynamically download new ones on demand. However, Mozilla believes it is important for users to know the root certificates that could be used, so the full set of certificates is always shown. This also allows you to edit the trust bits for any root certificates that you do not want to use. | |||
== Important Warnings == | |||
Following instructions on this page may negatively affect your security and/or your browsing experience. | |||
If you turn off the websites trust bit of a commonly used root certificate, you may get an "Your connection is not secure" error when you navigate to one or more popular websites. Bypassing such errors can be a security risk unless you know what you are doing. Therefore, it is strongly recommended that you '''note which root certificate you modify''', so that you can turn the trust bit back on if the change negatively impacts your browsing experience. | |||
If you change the trust bits of a root certificate or add or delete roots, that change will be will '''not''' be affected by upgrading to newer versions of the software. It can only be changed again by you. | |||
Deleting a root certificate that is in the default root store is equivalent to turning off all of the trust bits for that root. Therefore, '''even though the root certificate will re-appear in the Certificate Manager''', it will be treated as though you changed the trust bits of that root certificate to turn them all off. | |||
== | == Trusting an Additional Root Certificate == | ||
The following describes how to manually import a root certificate into your installation of Firefox or other Mozilla products. | |||
# Open the '''Options/Preferences''' window: | # Open the '''Options/Preferences''' window: | ||
#* On Windows: Pull down the '''Tools''' menu and select '''Options…''' | #* On Windows: Pull down the '''Tools''' menu and select '''Options…''' | ||
#* On Mac: Pull down the '''Firefox''' menu and select '''Preferences...''' | #* On Mac: Pull down the '''Firefox''' menu and select '''Preferences...''' | ||
#* On Linux: Pull down the '''Edit''' menu and select '''Preferences''' | #* On Linux: Pull down the '''Edit''' menu and select '''Preferences''' | ||
# Select ''' | # Select '''Privacy & Security''' | ||
# | # Scroll down to the '''Certificates''' section | ||
# Click on '''View Certificates''' to open the '''Certificate Manager''' | # Click on '''View Certificates..''' to open the '''Certificate Manager''' | ||
# Select '''Authorities''' | # Select '''Authorities''' tab | ||
#* Note: The root certificates with "Builtin Object Token" as the Security Device are the root certificates that are included by default in Mozilla products. | #* Note: The root certificates with "Builtin Object Token" as the Security Device are the root certificates that are included by default in Mozilla products. | ||
# Click on '''Import...''' | |||
# Click on ''' | # Select the file of the Root Certificate that you want to import | ||
# Select/Unselect the check-boxes indicating the trust bits, then click on '''OK''' | # Select/Unselect the check-boxes indicating the trust bits, then click on '''OK''' | ||
# Click on '''OK''' in the '''Certificate Manager''' | # Click on '''OK''' in the '''Certificate Manager''' | ||
# Close the '''Options/Preferences''' | # Close the '''Options/Preferences''' tab | ||
== Changing Root Certificate Trust Settings == | |||
To change the trust settings for root certificates in your installation of Firefox or other Mozilla products, follow the instructions above, except when you are in the Authorities tab of the Certificate Manager: | |||
# Select the Root Certificate that you want to change | # Select the Root Certificate that you want to change | ||
# Click on '''Edit...''' | # Click on '''Edit Trust...''' | ||
# Select/Unselect the check-boxes indicating the trust bits, then click on '''OK''' | # Select/Unselect the check-boxes indicating the trust bits, then click on '''OK''' | ||
Close and restart Firefox | |||
== Deleting a Root Certificate == | |||
To delete a root certificate from your current instance of Firefox or other Mozilla products, follow the instructions above, except when you are in the Authorities tab of the Certificate Manager: | |||
# Select the Root Certificate that you want to delete | # Select the Root Certificate that you want to delete | ||
# Click on '''Delete...''' | # Click on '''Delete or Distrust...''' | ||
# If you are sure you want to delete that root certificate, click on '''OK''' | # If you are sure you want to delete that root certificate, click on '''OK''' | ||
Close and restart Firefox | |||
== Restoring the Default Trust Settings for All Root Certificates == | |||
* [https://support.mozilla.org/en-US/kb/refresh-firefox-reset-add-ons-and-settings Refresh Firefox button] -- Recommended way to restore the security certificate settings. | |||
* [https://support.mozilla.org/en-US/kb/what-does-your-connection-is-not-secure-mean#w_corrupted-certificate-store Manually restore the security certificate settings] -- only perform as last resort. | |||
== Restoring the Default Trust Settings for a Single Root Certificate == | |||
If you want the cert to again respect any updates Mozilla makes to the default root store, this is extremely difficult. It is far easier to reset the entire store using the instructions above. | |||
== Deeply Geeky Certificate Database Information == | |||
== How Mozilla Products Respond to User Changes of Root Certificates == | === How Mozilla Products Respond to User Changes of Root Certificates === | ||
The following explains how Mozilla products behave when users change or delete root certificates. | The following explains how Mozilla products behave when users change or delete root certificates. | ||
| Line 165: | Line 88: | ||
If you delete a cert in your database that is also in the built-in list, it may appear to be completely gone, until you restart your program, at which point it will reappear, because it never left the built-in root list. However, the trust bits will be turned off for the root. | If you delete a cert in your database that is also in the built-in list, it may appear to be completely gone, until you restart your program, at which point it will reappear, because it never left the built-in root list. However, the trust bits will be turned off for the root. | ||
If you edit the trust on a cert in the root list, taking away (say) one of the | If you edit the trust on a cert in the root list, taking away (say) one of the 2 trust flags, but leaving the other one, then that cert and the single trust bit will be in your cert DB. After that, if Mozilla removes that cert completely from the built-in list, it will remain in your cert DB with the remaining trust flag. Mozilla's changes to the built-in list never affect your databases. Your databases contain what YOU put there. They're your changes, your responsibility. | ||
In conclusion, the changes Mozilla makes to Mozilla's read-only list of built-in root certs affect only those certs that do not also appear in your cert DB. When you cause copies of any of those certs to appear in your cert DB, then you have taken control of the trust for those copies, and changes made by Mozilla thereafter to those certs will not affect you. | In conclusion, the changes Mozilla makes to Mozilla's read-only list of built-in root certs affect only those certs that do not also appear in your cert DB. When you cause copies of any of those certs to appear in your cert DB, then you have taken control of the trust for those copies, and changes made by Mozilla thereafter to those certs will not affect you. | ||
= | === Restoring the Default Trust Bits for a Single Built-In Root Certificate === | ||
If you have edited the trust bits of a built-in root certificate, causing it to be copied to your personal database, you may wish to delete the copy from your database so that the default trust bits are again used. (Simply editing the trust bits to match the defaults would not give you the benefit of any updates Mozilla may later make to the defaults.) There is currently no UI to do this ({{bug|558222}}), but you can use the NSS <code>certutil</code> command-line tool. <code>certutil</code> does not ship with Mozilla products, and [https://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/94d05b904280b6ed NSS itself does not have official binary releases at this time], but you can build <code>certutil</code> from source, or your OS distribution may include it (Fedora: <code>nss-tools</code>, Debian/Ubuntu: <code>libnss3-tools</code>). | |||
To delete a certificate from your personal database: | |||
# Note the Certificate Name as shown in the Certificate Manager. | |||
# [https://support.mozilla.com/en-US/kb/profiles#w_how-do-i-find-my-profile Locate your profile]. | |||
# Shut down the Mozilla application. | |||
# Run: <syntaxhighlight lang="bash"># for older Mozilla products, leave off the `sql:` part | |||
certutil -d sql:PROFILE_DIR -D -n CERT_NAME</syntaxhighlight> substituting <tt>PROFILE_DIR</tt> with the path of your profile directory and <tt>CERT_NAME</tt> with the certificate name. | |||
# Restart the Mozilla application. | |||
=== Listing All Non-Default Root Certificate Settings === | |||
There is currently no UI to list all built-in root certificates for which you have overridden the default trust settings ({{bug|545498}}). However, you can use the <code>certutil</code> tool described in the previous section to list all the certificates in your personal database, which includes built-in root certificates whose trust you have changed along with added root certificates and many other kinds of certificates. | |||
Run this command (doing it while the Mozilla application is running is probably unsupported but does not seem to cause problems in practice): | |||
<syntaxhighlight lang="bash"> | |||
# for older Mozilla products, leave off the 'sql:' part | |||
certutil -d sql:PROFILE_DIR -L | |||
</syntaxhighlight> | |||
where <tt>PROFILE_DIR</tt> is the path to your profile as noted above. | |||
Root certificates will have trust fields of <code>c</code>, indicating a disabled trust bit, or <code>CT</code> or <code>C</code>, indicating an enabled trust bit. For example: | |||
<pre> | |||
Certificate Nickname Trust Attributes | |||
SSL,S/MIME,JAR/XPI | |||
My Favorite CA CT,c,c | |||
Wiretaps R Us CA c,c,c | |||
</pre> | |||