Jump to content

Certificate CA Stores


Lost In Cyberia
 Share

Recommended Posts

Hey everyone, I'm trying to get a lay of the land for OS and Application Certificate Stores. Can someone confirm that I have this concept right?

If the application you're using say Firefox has it's own trusted CA store, it uses that exclusively. So if you're running firefox in Windows, Firefox will only check the validity of certificates on it's own store, and not ever reference the Microsoft Store.

As opposed to using internet explorer in Windows where it exclusively uses the Microsoft CA store.

This is something I'm unsure of, does iOS, Linux and Android provide a trusted suite of CA's? Where is it in the File system? It's my impression that these OS' use the SSL command suite to verify certificates? Or do these OS' offer no store, and just hope that the application is doing the checking of certificates? So that whatever application must be written to somehow check for a certificate?

For instance, right now I"m using google chrome in linux. When I go into the browser settings and advanced settings, to certificates, I get a list of trusted CA's. Where is this list coming from my Linux OS, or the browser itself?

Link to comment
Share on other sites

I could be wrong, but from experience all browsers refer to the Trusted Root Certificate Store within certmgr.msc on windows machines. I think you'll find at least in a windows environment this will always be the case for administrative purposes.

I'm not that savvy across other platforms around certificate management.. But I am interested to see if I'm wrong or not :)

Link to comment
Share on other sites

Well firefox doesn't use the MS trusted root ca store, it comes with it's own list. My question though is if the OS and application don't provide a store (Linux and Android don't apparently), and a certificate is presented, how does the application know it can trust it? It's got nothing to reference? Doesn't this completely by pass SSL?

Link to comment
Share on other sites

Ahh I see, I've been implementing it with Group Policy so it's been populating both the Microsoft store and the Firefox configuration. I'd presume firefox would behave the same on Linux, not sure about iOS and Android though.

Link to comment
Share on other sites

On Linux my Firefox has these 2 interesting files:

~cooper/.mozilla/firefox/<junk>.default/cert8.db

~cooper/.mozilla/firefox/<junk>.default/cert_override.txt

The cert_override.txt file has a header that reads:

# PSM Certificate Override Settings file
# This is a generated file! Do not edit.

The .db file is half a meg in size (as opposed to 27kb for the txt file) and I don't have a clue what might be capable of reading it but going by the strings in there it's pretty much all certs I've even had on this box, including the root CA ones automagically acquired and all the certs mentioned in the .txt file.

I might have more certs on my system than is typical because I develop websites for healthcare where non-https URLs simply don't exist and outside of production sites everything used self-signed certs. The only way to make them work with FF is to add them to your cert store.

Link to comment
Share on other sites

Ah! I looked in my filesystem and saw the same set of files. So this is most likely F.F's CA list. Do you think Chrome uses something similar or does it use the /etc/ssl/certs list that comes with linux?

On Linux my Firefox has these 2 interesting files:

~cooper/.mozilla/firefox/<junk>.default/cert8.db

~cooper/.mozilla/firefox/<junk>.default/cert_override.txt

The cert_override.txt file has a header that reads:

# PSM Certificate Override Settings file
# This is a generated file! Do not edit.

The .db file is half a meg in size (as opposed to 27kb for the txt file) and I don't have a clue what might be capable of reading it but going by the strings in there it's pretty much all certs I've even had on this box, including the root CA ones automagically acquired and all the certs mentioned in the .txt file.

I might have more certs on my system than is typical because I develop websites for healthcare where non-https URLs simply don't exist and outside of production sites everything used self-signed certs. The only way to make them work with FF is to add them to your cert store.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...