Running KDE desktop and FF 116.0.3 I have been trying to add the CA Certificate from CAcert.org to my FF because FF does not use the system ssl certificate database in the OS.
All the searches I have found suggest that this is not straight forward. I assumed I could import the .pem bundle but apparently not. If I try and use the Import button in FF Certificate Manager and browse for the file it is not there. But it is there:-
My mistake, it is there but I have the wrong ownership.
I could try and change the ownership of the .pem file but it should surely remain as root.
Where next?
Why? It is available without restrictions from Internet and it will be stored as your own user when you import it. What are you trying to achieve by restricting its permissions?
I wish to use an X.509 certificate for signing various documents obtained from CAcert.org
In order to obtain this I need to use the CAcert.org website but at every opportunity I get a security popup from Firefox because the signing authority for CAcert.org is not included in the Firefox list.
I have been trying to import the .pem file into the FF system but the .pem file is owned by root so I cannot use the FF import tool and get an error massage telling me that I don’t own the file.
That is why I asked.
Please can you answer my question.
I am not sure I understand what “where next” means. If you are asking how to import certificate into your browser - your browser needs to read the file with certificate, so this file has to grant read permissions to the user running this browser.
You should not need to do anything, other than install the package “ca-certificates-cacert”. That’s working fine for me with Leap 15.5. I haven’t tried it with Tumbleweed. But if that doesn’t work with Tumbleweed, I would consider it a bug worth reporting. Or maybe you are using “firefox” that does not come from openSUSE repos.
Yes but I am less confident about attempting to change permissions on a certificate file as I am not sure it will work and might destroy any security I am attempting to deploy.
Similarly I am very unsure about running the browser as root, if this is even possible.
For these reasons I am seeking help and advice on how to have FF work with CAcert.org without having to answer all the warning messages.
Do you know how I can achieve this objective and if so please can you tell me.
Hi nrickert,
As no doubt I will be told, I have conflated two issues. I had been trying to obtain a CA certificate from a free source which lead me to CAcert.org.
This lead me to using FF to try and obtain the certificate and FF continued to put the security obstacles in my way.
I have installed ca-certificates-cacert in my TW system but not yet used it.
I have been deflected by the FF challenge why CAcert.org is not included and recognised by FF and this is what prompted my post. A rabbit hole I fear but many others have asked this question and I still have not seen a good answer for linux users and my FF has been obtained from the TW repo site so I had assumed there would have been a good answer.
Thanks for the help.
The CA certificates used by Mozilla come from libnssckbi.so library. Default implementation that is part of Mozilla is provided by mozilla-nss-certs subpackage and simply contains static built-in list of approved CA. It is possible to replace this library with alternative implementation or explicitly add additional compatible library as “Security Device” in Firefox settings.
One alternative implementation is provided by p11-kit, specifically p11-kit-nss-trust package. It gets CA from the well known locations like /usr/share/pki or /etc/pki. But to my best knowledge this package is not installed automatically either on Leap or on Tumbleweed. It is installed on two Leap systems here and I see explicit zypper invocation in /var/log/zypp/history. I have scratch Leap 15.5 I did a couple of days ago to verify some other issue and it includes the standard mozilla-nss-certs. So I am pretty sure it cannot work on default Leap installation unless you specifically configured your system or your Mozilla to use alternative CA source.
That said, Mozilla still differentiates between “approved” CA and arbitrary other one (even system-wide), so even with p11-kit-nss-trust it will warn user that “Connection verified by a certificate issuer that is not recognized by Mozilla”. Which may be rather confusing and give impression that CA is not recognized. See as example
Apparently you have very different idea of how public key cryptography works and we are talking past each other. As you do not explain your version, I leave it to someone who understands you better.
Or you can start with presenting raw facts - what certificate you downloaded (with exact link), where you stored downloaded files, files permissions. And explain what you are going to do with these download files and why you think that changing permissions will have security implication.
Where did I say that you need to run browser as root?
If you installed the package correctly, the default permissions and ownership is correct. If you installed FIrefox from the openSUSE repos, no further action should be needed for it to use it.
Note that the CA certs are just used to validate certificates issued against root authorities; they are not certificates for end-user use themselves. If you want a certificate for your own use, you need to purchase one from a certificate authority. If short-lived certificates are OK for your purposes, then you can use something like LetsEncrypt certificates (which are good for 90 days before they have to be renewed).
Probably good to indicate what you like to accomplish in the end, this is one step in the process but what do you want to accomplish with that? I am not sure getting a CA certificate for CAcert what you need, but for that we need to know what you want to accomplish on a higher level.
I did open the cacert.org website, it did comup up in http mode. I changed http to https and saw the Warning: Potential Security Risk Ahead. Clicking further it looks to me you have to add the CAcert Class 3 Root.
When I would like to import it, I would follow something like:
Many thanks for the excellent and authoritative answer on the Mozilla CA certificates which is very helpful.
You are right about my knowledge of public key cryptography: almost none and am trying to learn.
Once I learned that I needed to install the CAcert certificates package I did this:-
alastair@HP-Z640-1:~> sudo zypper in ca-certificates-cacert
This gave me the package installed as I expected:-
alastair@HP-Z640-1:~> sudo ls -l /etc/ssl
[sudo] password for root:
total 56
lrwxrwxrwx 1 root root 43 Jun 14 21:05 ca-bundle.pem -> ../../var/lib/ca-certificates/ca-bundle.pem
lrwxrwxrwx 1 root root 33 Jun 14 21:05 certs -> ../../var/lib/ca-certificates/pem
-rw-r--r-- 1 root root 412 Aug 12 15:05 ct_log_list.cnf
drwxr-xr-x 1 root root 0 Aug 12 16:26 engdef.d
drwxr-xr-x 1 root root 0 Aug 12 16:26 engines.d
-rw-r--r-- 1 root root 11344 Aug 12 16:26 openssl-1_1.cnf
-rw-r--r-- 1 root root 12513 Aug 12 15:05 openssl.cnf
-rw-r--r-- 1 root root 12513 Aug 12 15:05 openssl-orig.cnf
drwx------ 1 root root 0 Aug 12 15:05 private
What I have been learning is that although the above package is installed correctly my problems start because, I now understand, Firefox, Thunderbird and LibreOffice do not use the system installed security files but use a package from Mozilla as you have explained.
Having discovered that my newly installed CAcert package was not visible in the certificate list shown in Firefox (FF) I tried to upload the certificate into FF using the tool provided in FF. This process required me to browse to location of the certificate I had been trying to upload and when I selected ca-bundle.pem that I had just installed I had the error message:-
This personal certificate can't be installed because you do not own the corresponding private key which was created when the certificate was requested.
It was at this point and in my ignorance I had been groping for solutions and do appreciate the informed help I am receiving, for which many thanks.
My end objective is to be able to have a unique and “permanent” CA Certificate which I can use in LiberOffice to “sign” pdf document which I have to send to third parties and which cannot be edited by others without, at least, a warning that the document has been edited. I had no idea that so much work and effort would be required before I can get on with the real work objective of securing these documents, of which there are many to be processed and am grateful for all the help being given.
Hi hendersj,
Many thanks and yes I do need a certificate for our own use. It was embarking on this route that lead me, along with snares and pitfalls on the way that has brought me here but I think I am slowly making progress.
This really shouldn’t be this difficult but I guess not mainstream for commercial users who still work on Windows systems.
This is an important point. There is an hiatus in my knowledge here because I have not been able to try the intended end product.
LibreOffice document digital signatures, as I understand them, do not prevent the reading of a signed document but give a warning to the reader if it has been amended.
Because some recipients of the documents may be averse to files with .odt or .ods and may cause problems with some systems, even though these have been accepted by UK Government, I intended to use .pdf so have been working on exporting with digital signature.
I have not yet been able to try this so I have no idea whether the pdf file will be opened by recipient. Perhaps you can advise.
Hi marel,
Many thanks for the link you included. In fact I had already been following the path you suggested. My problem is that I had been looking for a certificate but have not yet created one. I had wrongly been thinking the ca-bundle.pem was the certificate.
I am about to create my own certificate using CAcert now I have joined but your point concerning pain for others is a good one and I do not know the answer until I have tried it as I explained in another reply. My problem is that until FF works with CAcert I cannot generate my certificate!
I installed the p11-kit-nss-trust` package in FF and note this replaces the original authority list but when I look into it using the View Certificates window CAcert is not listed but the p11 module is listed in the Devices tab. An examination of the CACert.org website once logged in suggests that support is possibly not keeping up with FF.
I am taking your advice, giving up on my first venture into CA Certificates and finding another way along the several options suggested which hopefully will be less painful.
