[arch-dev-public] Rethinking our CA certificate setup

Jan Alexander Steffens jan.steffens at gmail.com
Tue Aug 26 15:15:48 EDT 2014

On Sun, Aug 24, 2014 at 11:47 AM, Jan Alexander Steffens
<jan.steffens at gmail.com> wrote:
> Hi guys,
> I'm currently at FrOSCon with Pierre and an expert from CAcert.org and
> we're thinking of changes to our certificate setup.
> The current issues are:
> - Mozilla NSS uses its own root store and not /etc/ssl/certs
> - ca-certificates ships outdated Mozilla roots
> - Shipping additional roots outside ca-certificates is difficult,
> requiring patching /etc/ca-certificates.conf
> To solve these issues, we thought of making the following changes:
> - Attach NSS to p11-kit so it uses our root store (easily done by
> replacing /usr/lib/libnssckbi.so with a symlink to p11-kit-proxy.so)
> - Patch the update-ca-certificates script to read
> /etc/ca-certificates/conf.d instead of /etc/ca-certificates.conf
> - Split the current Mozilla roots from the NSS package in the
> ca-certificates format, shipping
> /etc/ca-certificates/conf.d/mozilla.conf
> - Create a package shipping the CAcert.org roots in a similar way
> - Ship the update-ca-certificates script in a ca-certificates-utils
> package, which the certificate packages depend on
> - ca-certificates becomes a metapackage depending on the -mozilla and
> -cacert packages
> Comments are welcome. Unless we get objections, we're going to start
> making these changes. Hopefully we can be done today and push the
> result to [testing].
> Greetings,
> Jan

Firefox isn't quite happy yet with the change, see
https://bugs.archlinux.org/task/41689: Addons fail to install or

It seems this is due to Firefox depending on NSS internals -
specifically, addons must be signed by certificates validated by the
built-in trusted root store, which is matched by name.

Fedora was affected as well: https://bugzilla.redhat.com/show_bug.cgi?id=966424
Upstream report, arguing for the check to be removed:

Now we can:
a. Patch p11-kit to rename the store; the easy way.
b. Patch Firefox and Thunderbird and SeaMonkey to not require the name
to match; the hard way, and the one Fedora chose.
c. Revert the change that links NSS to p11-kit; rather not, as it
makes it really hard to control the root store.


More information about the arch-dev-public mailing list