Hello,
I struggle with the OS trust store and my own CA certificate. I have installed my CA’s root certificate under the /etc/ssl/certs and of course I run the /usr/sbin/update-ca-certificates. However, both FF and Chrome do not seem to use the OS trust store. In both browsers I get the “non-trusted cert” messages when I visit my sites.
I am puzzled because on Fedora this is working as expected. Is there any option that I should enable on the browsers, or anywhere on the system in order to recognize my certificates?
Both Firefox and Chrome are using compiled built-in certificates and do not support any explicit option for system-wide certificate store on Linux.
There is libnssckbi.so replacement that gets certificates from p11-kit instead of compiled built-in. It is quite possible that Fedora enables it by default (IIRC it was initiated by RH). I believe I briefly tested it with Firefox on openSUSE in the past, but I may be mistaken. Theoretically it should also work for Chrome, but 16387 - Need an NSS change to read system-wide SSL root certificates on Linux - chromium suggests that it is not enough.
The fact that it works on Fedora for both Firefox and Chrome means that something is working properly there. At least now I have something to dig into it.
Many thanks.
Finally, I made some very good progress.
The solution is extremely simple, actually.
zypper in p11-kit-nss-trust and accept the removal of mozilla-nss-certs.
I don’t have any FF update to check what happens with the zypper dist-upgrade, but if needed I will blacklist the mozilla-nss-certs. It works with both Chrome and Firefox.