Diffstat (limited to 'wiki/src/blueprint/persistence_iceweasel_client_certificates_preset.mdwn')
1 files changed, 50 insertions, 0 deletions
diff --git a/wiki/src/blueprint/persistence_iceweasel_client_certificates_preset.mdwn b/wiki/src/blueprint/persistence_iceweasel_client_certificates_preset.mdwn
new file mode 100644
@@ -0,0 +1,50 @@
+Persistence of client certificates in the browser would make their use a lot easier
+The same approach than with bookmarks seems to be working. Candidate files are `key3.db` and/or `cert8.db` and/or `secmod.db` (<http://www-archive.mozilla.org/projects/security/pki/nss/db_formats.html>). These filenames seems to be subject to change without a notice.
+Another approach would be to use `pk12util` (from `nss3-tools` package, see <https://developer.mozilla.org/en-US/docs/NSS/Tools>) to import client cert (<https://developer.mozilla.org/en-US/docs/NSS/tools/NSS_Tools_pk12util>). See also `certutil` to import certificates (<http://wiki.wmtransfer.com/projects/webmoney/wiki/Installing_personal_certificate_in_Mozilla_Firefox> : <https://developer.mozilla.org/en-US/docs/NSS_reference/NSS_tools_:_certutil>)
+ - `key3.db` - This file stores your key database for your passwords.
+ - `cert8.db` - This file stores all your security certificate settings
+ and any SSL certificates you have imported into Firefox.
+It's being replaced by a sqlite database.
+One is asked passwords when importing client certificates. The [Python
+allow to do roughly the same as `pk12util` or `certutil`, but ask for
+the password graphically. But perhaps there's a GUI available
+If the certificate is not in PKCS #12 format, the certutil tool can be
+used to convert it.
+### NSS database upgrade
+certutil has a `--upgrade-merge` feature to *Upgrade an old database
+and merge it into a new database. This is used to migrate legacy NSS
+databases (cert8.db and key3.db) into the newer SQLite databases
+(cert9.db and key4.db).* that might be handy.
+However, certain certutil versions (e.g. 3.15) refuse to read or write
+any too old databases, such as the one Firefox 17 generates and uses
+with NSS 3.14.3 backported from Wheezy. We'll presumably always have
+to ship NSS and Firefox in sync' in Tails anyway. So, if we use
+certutil to perform the upgrade, then we and/or users will have to
+ensure it's done during the transition period, assuming there's one.