You can get browsers (and other programs that use libnss3) to use the system-wide trust store (i.e., /etc/ssl/certs/ca-certificates.crt) if you install p11-kit and run:
# dpkg-divert --add --local --rename /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so # ln -srf /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so You can undo it by removing the symlink and then running 'dpkg-divert --remove --rename /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so'. There was a discussion on the Debian BTS about doing this by default at <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704180> but it never actually happened. I think this is already done by default in the Red Hat world. -- Sam Morris <[email protected]> https://robots.org.uk/ _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
