So you are saying that if the p11-kit-trust module is available it
should be automatically adding the system wide trust store into the
internal Firefox cert store?
This is the out of my commands. I have the cert store thats create in
my home directory.
But there is no p11-kit-proxy do I have to add that myself? If so how
do I do that?
modutil -dbdir sql:/home/<username>/.mozilla/firefox/9zd63dro.default-release/
-list
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
uri:
pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.35
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
uri:
pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
uri:
pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
-----------------------------------------------------------
I have the p11-kit-trust module.
$ p11-kit list-modules
p11-kit-trust: p11-kit-trust.so
library-description: PKCS#11 Kit Trust Module
library-manufacturer: PKCS#11 Kit
library-version: 0.23
token: System Trust
manufacturer: PKCS#11 Kit
model: p11-kit-trust
serial-number: 1
hardware-version: 0.23
flags:
write-protected
token-initialized
On Thu, Oct 10, 2019 at 11:09 AM Alexander Bokovoy <aboko...@redhat.com> wrote:
>
> On to, 10 loka 2019, Kevin Vasko wrote:
> >Alexander,
> >
> >Unless I'm misunderstanding the information I don't think it will
> >matter though because Firefox and Chrome use their own certificates
> >stores. I found that information after I posted this question.
> >Speaking specifically for firefox (and Chrome looks to be
> >similar)...I'm concluding that why I'm not seeing it work is because
> >of this...
> >
> >"Since Firefox does not use the operating system's certificate store
> >by default, these CA certificates must be added in to Firefox using
> >one of the following methods. " taken from here
> >https://wiki.mozilla.org/CA/AddRootToFirefox
>
> On RHEL/Fedora we do have some magic:
> https://fedoraproject.org/wiki/Changes/NSSLoadP11KitModules
>
> On my Fedora 30 system I have this for my Firefox profile:
>
> $ modutil -dbdir sql:/home/abokovoy/.mozilla/firefox/$profile/ -list
>
> Listing of PKCS #11 Modules
> -----------------------------------------------------------
> 1. NSS Internal PKCS #11 Module
> uri:
> pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.46
> slots: 2 slots attached
> status: loaded
>
> slot: NSS Internal Cryptographic Services
> token: NSS Generic Crypto Services
> uri:
> pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
>
> slot: NSS User Private Key and Certificate Services
> token: NSS Certificate DB
> uri:
> pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
>
> 2. mPollux
> library name: /usr/lib64/libcryptoki.so
> uri:
> pkcs11:library-manufacturer=Fujitsu%20Finland%20Oy;library-description=mPollux%20DigiSign%20Client;library-version=0.1
> slots: There are no slots attached to this module
> status: loaded
>
> 3. p11-kit-proxy
> library name: p11-kit-proxy.so
> uri:
> pkcs11:library-manufacturer=PKCS%2311%20Kit;library-description=PKCS%2311%20Kit%20Proxy%20Module;library-version=1.1
> slots: There are no slots attached to this module
> status: loaded
> -----------------------------------------------------------
>
> As you can see, there are three tokens attached. Number 1 is the NSS
> internal 'token', that's how NSS database looks like typically. Number 2
> is a crypto token inserted by the Fujitsu Finland Oy which is used for
> my governmental ID operations through Firefox. Number three is the proxy
> for system-wide crypto tokens in Fedora.
>
> If I query that token separately, I can see a lot of certificates inside
> Firefox NSS database. If I omit -h option, certificates from all tokens
> get listed.
>
> $ certutil -d sql:/home/abokovoy/.mozilla/firefox/$profile/ -h p11-kit-proxy
> -L |wc -l
> 249
>
>
> Exactly same story is with Chrome/Chromium, only that they use different
> store than Firefox:
>
> $ modutil -dbdir sql:/home/abokovoy/.pki/nssdb -list
>
> Listing of PKCS #11 Modules
> -----------------------------------------------------------
> 1. NSS Internal PKCS #11 Module
> uri:
> pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.46
> slots: 2 slots attached
> status: loaded
>
> slot: NSS Internal Cryptographic Services
> token: NSS Generic Crypto Services
> uri:
> pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
>
> slot: NSS User Private Key and Certificate Services
> token: NSS Certificate DB
> uri:
> pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
>
> 2. DigiSign PKCS#11 Module
> library name: /usr/lib64/libcryptoki.so
> uri:
> pkcs11:library-manufacturer=Fujitsu%20Finland%20Oy;library-description=mPollux%20DigiSign%20Client;library-version=0.1
> slots: There are no slots attached to this module
> status: loaded
>
> 3. p11-kit-proxy
> library name: p11-kit-proxy.so
> uri:
> pkcs11:library-manufacturer=PKCS%2311%20Kit;library-description=PKCS%2311%20Kit%20Proxy%20Module;library-version=1.1
> slots: There are no slots attached to this module
> status: loaded
> -----------------------------------------------------------
>
> In past, people did manual work to pick up all the certs like
> https://blog.xelnor.net/firefox-systemcerts/ but it is not really needed
> anymore if you have p11-kit-proxy on your system. By default
> p11-kit-proxy has two modules:
>
> $ p11-kit list-modules
> p11-kit-trust: p11-kit-trust.so
> library-description: PKCS#11 Kit Trust Module
> library-manufacturer: PKCS#11 Kit
> library-version: 0.23
> token: System Trust
> manufacturer: PKCS#11 Kit
> model: p11-kit-trust
> serial-number: 1
> hardware-version: 0.23
> flags:
> write-protected
> token-initialized
> token: Default Trust
> manufacturer: PKCS#11 Kit
> model: p11-kit-trust
> serial-number: 1
> hardware-version: 0.23
> flags:
> write-protected
> token-initialized
> opensc: opensc-pkcs11.so
> library-description: OpenSC smartcard framework
> library-manufacturer: OpenSC Project
> library-version: 0.19
>
> It is the first one that brings all the system-wide certificates into
> NSS and other databases. For OpenSSL applications it can be brought in
> via PKCS#11 engine support.
>
>
> >
> >So I at this point I don't think anything is wrong with
> >ipa-install-client and it is performing correctly at this point adding
> >it to the cert store. Given that the exception that you mentioned,
> >that there is a difference in ipa-install-client adding it to the the
> >NSS database on RHEL/Fedora/CentOS and not on the Ubuntu/Debian
> >variants. However, I still don't think that will matter since
> >Firefox/Chrome aren't reading either the NSS database or the crt
> >bundle from what I understand.
> >
> >I'm going to keep digging to see if I find a solution for getting
> >FF/Chrome to look at my certs and will post back on what I find.
> >
> >-Kevin
> >
> >On Thu, Oct 10, 2019 at 9:17 AM Alexander Bokovoy <aboko...@redhat.com>
> >wrote:
> >>
> >> On to, 10 loka 2019, Kevin Vasko via FreeIPA-users wrote:
> >> >I actually manually checked the system wide crt files on each
> >> >distribution I'm using, Ubuntu, CentOS and RHEL6/7. In all cases my
> >> >/etc/ipa/ca.crt did appear to be in the each of their respective *.crt
> >> >files. That indicates to me that there isn't any problem with the
> >> >ipa-install-client on any of the distributions like I originally
> >> >thought. Rob it does look like Ubuntu is adding it to the
> >> >/etc/ssl/certs/ca-certificates.crt with the ipa-install-client as I
> >> >didn't do it manually on any of my systems, so it does appear they are
> >> >doing it somehow.
> >> >
> >> >These are the locations I checked.
> >> >
> >> >"/etc/ssl/certs/ca-certificates.crt", //
> >> >Debian/Ubuntu/Gentoo etc.
> >> >"/etc/pki/tls/certs/ca-bundle.crt", // Fedora/RHEL 6
> >> >"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", // CentOS/RHEL 7
> >> >
> >> >What appears to be the problem is (unless I'm mistaken) Firefox nor
> >> >Chrome are using the system wide cert locations apparently and only
> >> >using their own cert store. At least according to this article:
> >> >https://thomas-leister.de/en/how-to-import-ca-root-certificate/
> >> On RHEL/Fedora/CentOS we import system wide cert store automatically to
> >> NSS databases through p11-kit.
> >>
> >> On Ubuntu/Debian/Gentoo you need to do that manually.
> >>
> >> >
> >> >It kind of is backed up by this article on the Mozilla page.
> >> >https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox
> >> >
> >> >So based off of this information I'm going to have to manually add the
> >> >root certificates to each Chrome and Firefox cert store on the client
> >> >machines, which is a bummer.
> >> >
> >> >Sorry for the noise.
> >> >
> >> >On Thu, Oct 10, 2019 at 8:40 AM Rob Crittenden <rcrit...@redhat.com>
> >> >wrote:
> >> >>
> >> >> Kevin Vasko via FreeIPA-users wrote:
> >> >> > Kees Bakker,
> >> >> >
> >> >> > If it is, I'm certainly not seeing it done on Ubuntu 16.04 or Ubuntu
> >> >> > 18.04 and based on Rob's comment it might not be done if I'm
> >> >> > understanding him correctly.
> >> >>
> >> >> Assuming I'm reading the code right it is not being executed on
> >> >> Debian/Ubuntu. At least not in the source. It's possible it is patched
> >> >> into the package in the distribution.
> >> >>
> >> >> rob
> >> >>
> >> >> >
> >> >> > -Kevin
> >> >> >
> >> >> > On Thu, Oct 10, 2019 at 8:19 AM Kees Bakker via FreeIPA-users
> >> >> > <freeipa-users@lists.fedorahosted.org> wrote:
> >> >> >>
> >> >> >> On 10-10-19 14:35, Rob Crittenden via FreeIPA-users wrote
> >> >> >>>
> >> >> >>> Kevin Vasko via FreeIPA-users wrote:
> >> >> >>>> How would I validate that certs are getting added properly on a
> >> >> >>>> CentOS machine system wide store?
> >> >> >>>>
> >> >> >>>> I’m going to test it today to find out if this is a problem
> >> >> >>>> unique to Ubuntu/CentOS.
> >> >> >>> On Fedora the chain is put into
> >> >> >>> /etc/pki/ca-trust/source/anchors/ipa-ca.crt and update-ca-trust is
> >> >> >>> executed.
> >> >> >>>
> >> >> >>> There is no Debian/Ubuntu equivalent in the upstream source (it's
> >> >> >>> possible it is done in packaging). You could try something like:
> >> >> >>>
> >> >> >>> cp /etc/ipa/ca.crt /usr/local/share/ca-certificates/ipa-ca.crt
> >> >> >>> update-ca-certificates
> >> >> >> This is already done by ipa-client-install
> >> >> >> _______________________________________________
> >> >> >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> >> >> >> To unsubscribe send an email to
> >> >> >> freeipa-users-le...@lists.fedorahosted.org
> >> >> >> Fedora Code of Conduct:
> >> >> >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> >> >> >> List Guidelines:
> >> >> >> https://fedoraproject.org/wiki/Mailing_list_guidelines
> >> >> >> List Archives:
> >> >> >> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> >> >> > _______________________________________________
> >> >> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> >> >> > To unsubscribe send an email to
> >> >> > freeipa-users-le...@lists.fedorahosted.org
> >> >> > Fedora Code of Conduct:
> >> >> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> >> >> > List Guidelines:
> >> >> > https://fedoraproject.org/wiki/Mailing_list_guidelines
> >> >> > List Archives:
> >> >> > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> >> >> >
> >> >>
> >> >_______________________________________________
> >> >FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> >> >To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> >> >Fedora Code of Conduct:
> >> >https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> >> >List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> >> >List Archives:
> >> >https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> >>
> >> --
> >> / Alexander Bokovoy
> >> Sr. Principal Software Engineer
> >> Security / Identity Management Engineering
> >> Red Hat Limited, Finland
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
