This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Lolu chungechunge lwabekwa kunqolobane. Uyacelwa ubuze umbuzo omusha uma udinga usizo.

Where is the default certificate store?

more options

I want to add CA certs to Firefox for all users, including new users. Where is the default cert / trust store for Firefox?

I want to add CA certs to Firefox for all users, including new users. Where is the default cert / trust store for Firefox?

All Replies (10)

more options

Firefox uses a file named cert8.db in the profile folder.

About profile folder files: Profiles - Where Firefox stores your bookmarks, passwords and other user data.

There is a tool you can use to programmatically add files to a cert8.db file but I've never tried it myself, so you probably would want to search around for tips from experienced users:

https://developer.mozilla.org/docs/Mozilla/Projects/NSS/Reference/NSS_tools_:_certutil

more options

Thanks, but I know where my profile is. I want to know where the certificate store in it comes from. If I edit mine, I'm only changing my own settings. If I look for end edit all existing profiles, I'm only changing existing profiles. I want a brand-new user who logs in to get the certificates I want them to have.

more options

hi, for some options to deploy this, please refer to https://wiki.mozilla.org/CA:AddRootToFirefox

more options

Saw that. Doesn't help. Nothing in that article exposes where the store is, just mentions different tools that, presumably, "just know". The Javascript section comes the closest, but something like "@mozilla.org/security/x509certdb;1" is not a filesystem path... something tells Javascript what "@mozilla.org" is, but it sure doesn't tell me!

more options

And on top of that, the link for CCK2 is bad.

more options
more options

Neither of those pages tell me where the default certificate store is.

more options

I found these in a search, not sure if you already found them:

more options

Thanks. So... Mozilla has gone out of their way to hide and obfuscate this as much as possible. Wonderful. Sometimes it seems like developers forget about people using their software and just want to show off how clever they can be. And I've never understood why I should trust Chinese, Russian, Turkish, etc. CAs just because Google or Mozilla or Apple or Microsoft say I should.

I'm going to corner the Firefox folks at the next ScaLE and try to pry some answers or a commitment to change out of them :-)

more options

While it might have been done this way just to make your life difficult, it's also possible that using a compiled file was to reduce the potential for tampering by bad actors.

On the larger question of what CAs to (dis)trust, there may be a mailing list for that: https://lists.mozilla.org/listinfo