Hi dwmw2, thank you for your bug report and your help to make Ubuntu better.
I beg a pardon as I'm clearly not an expert on this particular area, but I try to sort out the details of this bug report to understand what has to be done. Currently I understand this as feature request to make update-ca- certificates (almost?) all certificate users in one shot. The current default config doesn't do that Thanks for pointing out the links and background to this. The answer on this thread is what I think the current state is http://superuser.com/questions/437330/how-do-you-add-a-certificate-authority-ca-to-ubuntu and I understand and agree that to get this as "one shot accept this CA" is a valid feature-request-bug. I happened to find various similar/related on other projects like firefox for example: https://bugzilla.mozilla.org/show_bug.cgi?id=620373 https://bugzilla.mozilla.org/show_bug.cgi?id=449498 https://bugzilla.mozilla.org/show_bug.cgi?id=454036 There might be more for others, but it seems to fix the whole thing a Distribution would need to modify all consuming packages to agree on sort of a shared path and mechanism. Ok, so far I was just trying to wrap my head around this a bit, I guess the next step clearly is the security Teams position on this in general - so I subscribe them for a statement. Maybe they also know on past or existing approaches to this. ** Bug watch added: Mozilla Bugzilla #620373 https://bugzilla.mozilla.org/show_bug.cgi?id=620373 ** Bug watch added: Mozilla Bugzilla #449498 https://bugzilla.mozilla.org/show_bug.cgi?id=449498 ** Bug watch added: Mozilla Bugzilla #454036 https://bugzilla.mozilla.org/show_bug.cgi?id=454036 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to nss in Ubuntu. https://bugs.launchpad.net/bugs/1647285 Title: SSL trust not system-wide Status in ca-certificates package in Ubuntu: Incomplete Status in nss package in Ubuntu: Incomplete Bug description: When I install a corporate CA trust root with update-ca-certificates, it doesn't seem to work everywhere. Various things like Firefox, Evolution, Chrome, etc. all fail to trust the newly-installed trusted CA. This ought to work, and does on other distributions. In p11-kit there is a module p11-kit-trust.so which can be used as a drop-in replacement for NSS's own libnssckbi.so trust root module, but which reads from the system's configured trust setup instead of the hard- coded version. This allows us to install the corporate CAs just once, and then file a bug against any package that *doesn't* then trust them. See https://fedoraproject.org/wiki/Features/SharedSystemCertificates for some of the historical details from when this feature was first implemented, but this is all now supported upstream and not at all distribution-specific. There shouldn't be any significant work required; it's mostly just a case of configuring and building it to make use of this functionality. (With 'alternatives' to let you substitute p11-kit-trust.so for the original NSS libnssckbi.so, etc.) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1647285/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp