How to use the OS Trust Store with Firefor/Chrome

I struggle with the OS trust store and my own CA certificate. I have installed my CA’s root certificate under the /etc/ssl/certs and of course I run the /usr/sbin/update-ca-certificates. However, both FF and Chrome do not seem to use the OS trust store. In both browsers I get the “non-trusted cert” messages when I visit my sites.

I am puzzled because on Fedora this is working as expected. Is there any option that I should enable on the browsers, or anywhere on the system in order to recognize my certificates?

Both Firefox and Chrome are using compiled built-in certificates and do not support any explicit option for system-wide certificate store on Linux.

There is replacement that gets certificates from p11-kit instead of compiled built-in. It is quite possible that Fedora enables it by default (IIRC it was initiated by RH). I believe I briefly tested it with Firefox on openSUSE in the past, but I may be mistaken. Theoretically it should also work for Chrome, but 16387 - Need an NSS change to read system-wide SSL root certificates on Linux - chromium suggests that it is not enough.

The fact that it works on Fedora for both Firefox and Chrome means that something is working properly there. At least now I have something to dig into it.
Many thanks.

Finally, I made some very good progress.
The solution is extremely simple, actually.

zypper in p11-kit-nss-trust and accept the removal of mozilla-nss-certs.
I don’t have any FF update to check what happens with the zypper dist-upgrade, but if needed I will blacklist the mozilla-nss-certs. It works with both Chrome and Firefox.

BTW, can a moderator please change the title?

  1. It’s not the right one, one like “How to use the OS Trust Store with Firefor/Chrome” would be better
  2. I want to add the “SOLVED” in the title.
1 Like

Changed the title.
We do not add specific Solved tags. The fact that you say you are satisfied (as you did) is enough.

1 Like