Question

Make CA database read-only?

Is it possible to make Firefox not accept any new Certificate Authorities without user interaction?

Long story short, I have having a problem where Firefox is adding a CA to it's database that is hosing things up. The actual problem is with the cert that is being offered to me, and I am working with that system owner to fix the cert, but in the mean time I would like to have Firefox not ever load the CA into it's database. This new CA is added without the user being prompted at all. Simply visiting a specific website causes this new CA to be added to the list (but again, not trusted, just added to the list).

By default when it is loaded the new cert has no permissions so it is not trusted, but the problem is the fact that the CA that is added is a duplicate name with another known good CA in my list and it causes things to go wacky when there are two with the same name (different signatures, different issuer, the only thing the same is the nickname).

I know this isn't a problem with Firefox directly. In 99.9999% of cases when it adds an additional CA to the list it doesn't cause a problem at all because it is not trusted and it won't inherently allow the secure connection. But since fixing the real problem with the owner of the website is going to take a long time (weeks/months) I would like to put a band-aid on the symptom so that I can cut my maintenance of this topic down greatly.

I am running Red Hat Enterprise Linux 5.9 with Firefox 10.0.12 (RHEL distributed Firefox).

I could go into extreme detail to explain what is causing my problem, but the short question I have is "Is there a way to make the CA database read-only"?

I have tried editing the permissions of cert8.db in ~/.mozilla/firefox/*.default/ to only be readonly (0400) vice read-write (0600) currently. However this causes Firefox to have kittens when I try to use anything that reads the CA list so I had to change it back.

I have a hacky script to remove the CA using certutil, but since certutil uses the 'nickname' of the cert to decide which one to delete, and both the good cert and the bad cert have the same nickname I get worried I'll blow away the good one and not the bad one. So far it has consistently matched the bad cert, but I don't have enough confidence that it will do that every time to push it out to my users. If I could use certutil -D with something more specific than nickname (fingerprint, signature value, etc) I would be OK with that as well.

I know there are options to restrict user changes to things like proxies and the such, is there a similar way to do it with CAs? about:config doesn't appear show anything that looks like it would do it.

Can I have it prompt me when it tries to add a CA to the database and allow me to say yes/no?

I am OK if the change is something that requires manual intervention if we do decide to add another CA to the list. Currently I am having to repair this problem multiple times a day and new CAs don't come all that often.

Unfortunately, I can't simply upgrade to the latest Firefox as software restrictions are in place. I'm open to any ideas you may have.

↓ Show more ↑ Show less
  • All posts
  • Helpful Solutions
  • post
  • post
  • owner
  • owner
  • post
  • post
  • helpful
  • helpful