Hi there,
I use pk11-kit-trust to use my own set of trusted CA's system wide. As per the firefox help pages (and as it works for me with firefox-esr itself), I removed the original /usr/share/librewolf/libnssckbi.so and created a sym link to /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so instead. Then I realised that librewolf didn't recognise this change. Anyway - a whole set of trusted certificate authorities called "Builtin Roots Module" is installed on profile creation from a source I couldn't find out and with a path of "null". Unloading this kind of pre-existing "security module" for the current session will work, but only until the next browser restart. Setting 'security.enterprise_roots.enabled' to 'false' also doesn't work to prevent this behaviour. I think something is wrong/buggy here.
How can I make my own set of trusted CAs permanent, in a way, without using the cert9.db file? Usingthat way (cert9.db) would be a sort of "opt-out", to trust newly deployed certificates – which are fetched within the next lw update via update of "security module", right?
My installation: 137.0.2-1 on Debian 12 (bookworm).
Hi there,
I use pk11-kit-trust to use my own set of trusted CA's system wide. As per the firefox help pages (and as it works for me with firefox-esr itself), I removed the original /usr/share/librewolf/libnssckbi.so and created a sym link to /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so instead. Then I realised that librewolf didn't recognise this change. Anyway - a whole set of trusted certificate authorities called "Builtin Roots Module" is installed on profile creation from a source I couldn't find out and with a path of "null". Unloading this kind of pre-existing "security module" for the current session will work, but only until the next browser restart. Setting 'security.enterprise_roots.enabled' to 'false' also doesn't work to prevent this behaviour. I think something is wrong/buggy here.
How can I make my own set of trusted CAs permanent, in a way, without using the cert9.db file? Usingthat way (cert9.db) would be a sort of "opt-out", to trust newly deployed certificates – which are fetched within the next lw update via update of "security module", right?
My installation: 137.0.2-1 on Debian 12 (bookworm).