SDB:Share certificates between applications or whole system
This article explains an experimental feature! Please use with care and send feedback so we can finalize it. IMPORTANT: While that procedure should be non-destructive (the old NSS (3) databases should be left untouched) I highly recommend to backup your profiles.
Situation
You want to use the same personal certificate store for all the following applications and optionally modify root certificates for the whole system.
- Firefox
- Thunderbird
- SeaMonkey
- Chromium
- Evolution
Procedure
Without modifications all Mozilla based applications maintain their own certificate store in the application's profile directory, while Chromium already uses $HOME/.pki/nssdb with an sqlite based storage. In openSUSE we ship modifications to make it easy to switch Firefox, Thunderbird and SeaMonkey to use the same storage location by just exporting some environment variables:
export NSS_SHARED_DB_PATH=$HOME/.pki/nssdb export NSS_USE_SHARED_DB=1
(The first is not needed with the latest version of libnsssharedhelper0 which is 1.0.10.)
Once the environment is set up like the above all enabled Mozilla apps will use the same certificate store (on openSUSE that means Firefox, Thunderbird, Seamonkey, Chromium and likely Evolution (to be confirmed). If for example Firefox is started afterwards it'll open the old and new database and eventually migrate the certificates into the new database. This only happens if no master password is set or it is given during the session. Only the first application to create the database will be able to maintain its saved passwords though. Later merged applications won't be able to decrypt them anymore because there is only one key in the NSS database for that purpose.
If you want to preconfigure the whole system to use certain certificates (including additional CA certificates) the next step is to install the package
mozilla-nss-sysinit
This package installs an additional certificate store to /etc/pki/nssdb where root can use the certutil (from mozilla-nss-tools) to manipulate the system wide certificate store. Do NOT export NSS_SHARED_DB_PATH=$HOME/.pki/nssdb anymore when the system wide certificate store should be used since the default is /etc/pki/nssdb already.
Import root certificates into system wide certstore (e.g. CAcert):
curl -k https://www.cacert.org/certs/root.crt > cacert.crt setup-nsssysinit off certutil -d sql:/etc/pki/nssdb -t TC,TC,TC -A -i cacert.crt -n cacert setup-nsssysinit on