Add a private / custom Certificate Authority (CA) to the firefox trust store
The cacert root certificate is not included in Debian and Firefox, and is thus a good example of adding a private CA. Note that this does not mean we specifically endorse this CA, this is just an example.
- Show that SSL connections to a service signed by the private CA fails
$ gnutls-cli wiki.cacert.org:443 ... - Status: The certificate is NOT trusted. The certificate issuer is unknown. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate.
- Download the private CA
$ wget http://www.cacert.org/certs/root_X0F.crt
- Test that a connection to the previous service with the private CA works
$ gnutls-cli --x509cafile root_X0F.crt wiki.cacert.org:443 ... - Status: The certificate is trusted. ... - Handshake was completed ...
add the private CA to the Debian trust store located in /etc/ssl/certs/ca-certificates.crt
$ sudo cp root_X0F.crt /usr/local/share/ca-certificates/cacert-org-root-ca.crt $ sudo update-ca-certificates --verbose ... Adding debian:cacert-org-root-ca.pem ...
- verify that we can connect without passing the private CA on the command line
$ gnutls-cli wiki.cacert.org:443 ... - Status: The certificate is trusted.
At that point most applications are able to connect to systems with a certificate signed by the private CA (curl, Gnome builtin Browser …), because those applications uses the Debian system-wide trust store.
However Firefox is using its own trust store and will still display a security error if connecting to https://wiki.cacert.org. To make firefox trust the Debian trust store, we need to add a so called ''security device'', in fact an extra library wrapping the Debian trust store. The library will wrap the Debian trust store in the PKCS#11 industry format, that Firefox supports.
- install the pkcs#11 wrapping library and command line tools
$ sudo apt install p11-kit p11-kit-modules
- verify that the private CA is accessible via PKCS#11
$ trust list | grep --context 2 'CA Cert'
pkcs11:id=%16%B5%32%1B%D4%C7%F3%E0%E6%8E%F3%BD%D2%B0%3A%EE%B2%39%18%D1;type=cert
type: certificate
label: CA Cert Signing Authority
trust: anchor
category: authoritynow we need to add a new security device in Firefox pointing to the pkcs11 trust store. The pkcs11 trust store is located in /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so
$ dpkg --listfiles p11-kit-modules | grep trust /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so
in Firefox (tested in version 115 esr), go to Settings -> Privacy & Security -> Security -> Security Devices.
Then click “Load”, in the popup window use “My local trust” as a module name, and /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so as a module filename. After adding the module, you should see it in the list of Security Devices, having /etc/ssl/certs/ca-certificates.crt as a description.
now restart Firefox and you should be able to browse https://wiki.cacert.org without security errors