Just after pressing send on this message, I found where Firefox can be configured to trust enterprise root certificates. See this article:
https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox Once configured, Firefox should trust the OS certificate store. But I haven't gotten it to work. Yet. On Mon, Mar 2, 2020 at 11:22 PM Nicholas DeMarco <[email protected]> wrote: > Hello, Thanks to this group's help, I'm learning my way through IPA's > certificate system. > > I read Fraser's well written post on creating sub-CAs, and successfully > got everything to work. I then ran into the same problem Kevin Vasko hit in > this thread: > > > https://lists.fedorahosted.org/archives/list/[email protected]/thread/45CQE3CGG5QFZ5YMRGYJDICB7WWFWAVQ/ > > > It seems Debian-based Chrome and Firefox don't implicitly trust the OS > root certificate store. > > For each Firefox profile (about:profiles), the NSS db is in > ~/.mozilla/firefox/<profile>. The certs in this directory can be listed > > certutil -d sql:/home/nick/.mozilla/firefox/4sar5x5s.default-release/ -L > > On Ubuntu 18.04, after installing and configuring IPA client (# > ipa-client-install --mkhomedir), the IPA certificate is listed in the store. > > Still, Firefox doesn't trust the IPA server or its trusted hosts. Why??? > > It's been established that Linux Firefox and Linux Chrome don't trust the > OS trusted certificate stores. It seems, with all that comes with > assumptions, that Firefox doesn't trust its own profile store, either. > > Nick >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
