[GH-ISSUE #11] Installing certs for Firefox/Chromium on Linux #8

New issue

Closed

opened 2026-02-25 22:32:21 +03:00 by kerem · 1 comment

kerem commented 2026-02-25 22:32:21 +03:00

Owner

Copy link

Originally created by @fd0 on GitHub (Jun 28, 2018).
Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/11

Hi, while I don't have a use case for mkcert, I've just recently written a shell script which inserts a CA into all browser profiles for a user, and I thought I just leave some hints here:

• For Firefox, the cert needs to be inserted into each NSS db in each profile directory within ~/.mozilla/firefox, using certutil. The code in truststore_firefox.go looks good already
• For Chromium (and probably also Chrome), there's a central NSS db in ~/.pki/nssdb into which the certificate can be added via certutil, very similar to Firefox

That should do the trick for Linux for the most widely used browsers at least (which should cover like 90% of the use cases out there).

Adding the certificate to the system's trust store depends on the Linux distribution, it's a lot more complex. For Fedora, the browsers also trust certificates in the system-wide trust store in /etc, on Debian that's not the case: browsers just ignore all system ca certificates.

Originally created by @fd0 on GitHub (Jun 28, 2018). Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/11 Hi, while I don't have a use case for `mkcert`, I've just recently written a shell script which inserts a CA into all browser profiles for a user, and I thought I just leave some hints here: * For Firefox, the cert needs to be inserted into each NSS db in each profile directory within `~/.mozilla/firefox`, using `certutil`. The code in `truststore_firefox.go` looks good already * For Chromium (and probably also Chrome), there's a central NSS db in `~/.pki/nssdb` into which the certificate can be added via `certutil`, very similar to Firefox That should do the trick for Linux for the most widely used browsers at least (which should cover like 90% of the use cases out there). Adding the certificate to the system's trust store depends on the Linux distribution, it's a lot more complex. For Fedora, the browsers also trust certificates in the system-wide trust store in `/etc`, on Debian that's not the case: browsers just ignore all system ca certificates.

kerem closed this issue 2026-02-25 22:32:21 +03:00

kerem commented 2026-02-25 22:32:22 +03:00

Author

Owner

Copy link

@FiloSottile commented on GitHub (Jul 4, 2018):

Thanks @fd0!

<!-- gh-comment-id:402344796 --> @FiloSottile commented on GitHub (Jul 4, 2018): Thanks @fd0!

kerem referenced this issue 2026-02-25 22:33:07 +03:00

[GH-ISSUE #558] Certutil process is continuously running and not returning when creating new NSS DB #328

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

v1.4.4

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.3.0

v1.2.0

v1.1.2

v1.1.1

v1.1.0

v1.0.1

v1.0.0

v0.9.1

v0.9.0

Labels

Clear labels   

TLS stack issue

  

Windows

  

bug

  

duplicate

  

duplicate

  

enhancement

  

help wanted

  

help wanted

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question

  

root store

  

waiting for info

No labels

TLS stack issue

Windows

bug

duplicate

duplicate

enhancement

help wanted

help wanted

pull-request

question

question

root store

waiting for info

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/mkcert#8

No description provided.