SDB:Share certificates between applications or whole system

Jump to: navigation, search

This article explains an experimental feature! Please use with care and send feedback so we can finalize it. IMPORTANT: While that procedure should be non-destructive (the old NSS (3) databases should be left untouched) I highly recommend to backup your profiles.


You want to use the same personal certificate store for all the following applications and optionally modify root certificates for the whole system.

  • Firefox
  • Thunderbird
  • SeaMonkey
  • Chromium
  • Evolution


Without modifications all Mozilla based applications maintain their own certificate store in the application's profile directory, while Chromium already uses $HOME/.pki/nssdb with an sqlite based storage. In openSUSE we ship modifications to make it easy to switch Firefox, Thunderbird and SeaMonkey to use the same storage location by just exporting some environment variables:

 export NSS_SHARED_DB_PATH=$HOME/.pki/nssdb

(The first is not needed with the latest version of libnsssharedhelper0 which is 1.0.10.)

Once the environment is set up like the above all enabled Mozilla apps will use the same certificate store (on openSUSE that means Firefox, Thunderbird, Seamonkey, Chromium and likely Evolution (to be confirmed). If for example Firefox is started afterwards it'll open the old and new database and eventually migrate the certificates into the new database. This only happens if no master password is set or it is given during the session. Only the first application to create the database will be able to maintain its saved passwords though. Later merged applications won't be able to decrypt them anymore because there is only one key in the NSS database for that purpose.

If you want to preconfigure the whole system to use certain certificates (including additional CA certificates) the next step is to install the package


This package installs an additional certificate store to /etc/pki/nssdb where root can use the certutil (from mozilla-nss-tools) to manipulate the system wide certificate store. Do NOT export NSS_SHARED_DB_PATH=$HOME/.pki/nssdb anymore when the system wide certificate store should be used since the default is /etc/pki/nssdb already.

Import root certificates into system wide certstore (e.g. CAcert):

   curl -k > cacert.crt
   setup-nsssysinit off
   certutil -d sql:/etc/pki/nssdb -t TC,TC,TC -A -i cacert.crt -n cacert
   setup-nsssysinit on

See also

External links