path: root/wiki/src/blueprint/persistence_iceweasel_client_certificates_preset.mdwn
diff options
Diffstat (limited to 'wiki/src/blueprint/persistence_iceweasel_client_certificates_preset.mdwn')
1 files changed, 50 insertions, 0 deletions
diff --git a/wiki/src/blueprint/persistence_iceweasel_client_certificates_preset.mdwn b/wiki/src/blueprint/persistence_iceweasel_client_certificates_preset.mdwn
new file mode 100644
index 0000000..e9bef15
--- /dev/null
+++ b/wiki/src/blueprint/persistence_iceweasel_client_certificates_preset.mdwn
@@ -0,0 +1,50 @@
+Persistence of client certificates in the browser would make their use a lot easier
+Import method
+The same approach than with bookmarks seems to be working. Candidate files are `key3.db` and/or `cert8.db` and/or `secmod.db` (<>). These filenames seems to be subject to change without a notice.
+Another approach would be to use `pk12util` (from `nss3-tools` package, see <>) to import client cert (<>). See also `certutil` to import certificates (<> : <>)
+According to
+ - `key3.db` - This file stores your key database for your passwords.
+ - `cert8.db` - This file stores all your security certificate settings
+ and any SSL certificates you have imported into Firefox.
+It's being replaced by a sqlite database.
+One is asked passwords when importing client certificates. The [Python
+binding for
+API](, [C
+API]( should
+allow to do roughly the same as `pk12util` or `certutil`, but ask for
+the password graphically. But perhaps there's a GUI available
+somewhere already?
+If the certificate is not in PKCS #12 format, the certutil tool can be
+used to convert it.
+User experience
+### NSS database upgrade
+certutil has a `--upgrade-merge` feature to *Upgrade an old database
+and merge it into a new database. This is used to migrate legacy NSS
+databases (cert8.db and key3.db) into the newer SQLite databases
+(cert9.db and key4.db).* that might be handy.
+However, certain certutil versions (e.g. 3.15) refuse to read or write
+any too old databases, such as the one Firefox 17 generates and uses
+with NSS 3.14.3 backported from Wheezy. We'll presumably always have
+to ship NSS and Firefox in sync' in Tails anyway. So, if we use
+certutil to perform the upgrade, then we and/or users will have to
+ensure it's done during the transition period, assuming there's one.