• blueprint
  • Persistence: add iceweasel client certificates preset
 Persistence: add iceweasel client certificates preset
Download Tails 0.23 March 19, 2014

Persistence of client certificates in the browser would make their use a lot easier

Research

Import method

The same approach than with bookmarks seems to be working. Candidate files are key3.db and/or cert8.db and/or secmod.db (http://www-archive.mozilla.org/projects/security/pki/nss/db_formats.html). These filenames seems to be subject to change without a notice.

Another approach would be to use pk12util (from nss3-tools package, see https://developer.mozilla.org/en-US/docs/NSS/Tools) to import client cert (https://developer.mozilla.org/en-US/docs/NSS/tools/NSS_Tools_pk12util). See also certutil to import certificates (http://wiki.wmtransfer.com/projects/webmoney/wiki/Installing_personal_certificate_in_Mozilla_Firefox : https://developer.mozilla.org/en-US/docs/NSS_reference/NSS_tools_:_certutil)

According to https://support.mozilla.org/en-US/kb/Recovering%20important%20data%20from%20an%20old%20profile:

  • key3.db - This file stores your key database for your passwords.
  • cert8.db - This file stores all your security certificate settings and any SSL certificates you have imported into Firefox.

It's being replaced by a sqlite database.

One is asked passwords when importing client certificates. The Python binding for NSS (Python API, C API) should allow to do roughly the same as pk12util or certutil, but ask for the password graphically. But perhaps there's a GUI available somewhere already?

If the certificate is not in PKCS #12 format, the certutil tool can be used to convert it.

User experience

NSS database upgrade

certutil has a --upgrade-merge feature to Upgrade an old database and merge it into a new database. This is used to migrate legacy NSS databases (cert8.db and key3.db) into the newer SQLite databases (cert9.db and key4.db). that might be handy.

However, certain certutil versions (e.g. 3.15) refuse to read or write any too old databases, such as the one Firefox 17 generates and uses with NSS 3.14.3 backported from Wheezy. We'll presumably always have to ship NSS and Firefox in sync' in Tails anyway. So, if we use certutil to perform the upgrade, then we and/or users will have to ensure it's done during the transition period, assuming there's one.