You are here

certificats

10 posts / 0 new
Last post
serr57
Offline
Last seen: 15 years 5 months ago
Joined: 2009-04-20 06:46
certificats

Hi everybody,

When I used FFP, very often "I get add certificate exception", nothing special about this, but all exceptions I did don't stay in firefox configuration.
Every time I go to these sites I have to redo the procedure for exception.

Do you know the reason why ? (I am machine administrator.

Now I would to deploy some certificates on several PC both, but I don't know where are stored .cer or .pem inside FFP data.

Could you help me ?

regards

Eric

rab040ma
Offline
Last seen: 5 months 9 hours ago
Joined: 2007-08-27 13:35
The certificates are

The certificates are encrypted into the firefox "security device" (see Options | Advanced | Encryption | Security Devices). Firefox can export certificates to those file formats you mention, and import from them, but it stores them in its own encrypted database. Unlike Internet Explorer, Firefox doesn't store its certificates in a central database used by other software on the machine.

It sounds like you are looking for tools to manage the certificates of a number of machines with Firefox installed. I'd recommend asking at the Mozilla website.

It does sound like something odd is going on. Normally if you add an exception, Firefox remembers, and doesn't warn you again unless the certificate changes. (I assume you have checked that the certificate is the same.) Normally the certificates where this happens are "self-signed" certificates on personal servers; if the owner reinstalls software, the self-signed certificate is very likely to change, so that is another possibility.

There are free or very inexpensive certificates available where the issuing certificate authority is already in the Firefox certificate roots store. You could urge the owners of those servers to use those sorts of certificates.

If you are interested in troubleshooting why Firefox Portable isn't remembering an exception, first confirm that the certificate has not changed, and that other configuration information is being stored in the .\Data directory and subdirectories (the "profile") while the certificate exceptions are not. Then ask for assistance troubleshooting.

MC

ottosykora
Offline
Last seen: 2 days 23 hours ago
Joined: 2007-10-11 17:48
probably most important

on that is:

>If you are interested in troubleshooting why Firefox Portable isn't remembering an exception, first confirm that the certificate has not changed,

Otto Sykora
Basel, Switzerland

rab040ma
Offline
Last seen: 5 months 9 hours ago
Joined: 2007-08-27 13:35
Hi Otto Can you tell me how

Hi Otto

Can you tell me how you mark the private key as non-exportable with a certificate in FFP?

I can find a way to "Export" a certificate, which seems to export just the certificate, and a way to "Backup" a personal certificate, which does include the private key too. But I don't see a way to mark a private key as non-exportable, the way I do when using IE or Windows. Can you tell me how to find the way to mark a key as non-exportable? (Obviously if you mark it as non-exportable in IE, you won't be able to export it to Firefox, so it's pretty obvious that won't result in the key being marked as non-exportable in Firefox.) (I'm using the English version of FFP, so I'm not sure how those functions would be labeled if you use a different language version.)

As far as I can tell, when exporting the certificate, just the public certificate is exported.

Perhaps you could give an example of how to Export (not Backup) a certificate that includes the private key by mistake? Obviously, if you are backing up the certificates in your Firefox store, you would want the private keys too; I agree that if you are exporting just the certificate to give to another person, you wouldn't want the private key included, and that seems to be working okay on mine.

Since the certificates (including private keys) are encrypted in the Firefox Software Security Device, and since you would put a strong Master Password on FFP on a drive you carry around, the only way the private key would be exposed is if you entered the FFP Master Password, and then Firefox misbehaved somehow -- but that is pretty basic. You certainly wouldn't leave the backup files on the USB drive unless they were encrypted with a very strong passphrase. Since I'm not seeing this sort of misbehavior but you are, I'm hoping you can let me know how to reproduce it.

MC

ottosykora
Offline
Last seen: 2 days 23 hours ago
Joined: 2007-10-11 17:48
@rab040ma

OK, missundertanding.

No there is no setting in FF to make a key non exportable. In fact this should be a property of the key as such, often when created it can be marked this way.
OK, I know in IE this can be done locally to the actual local copy of the key.

But even if the key pair is marked as private nonexportable by itself, you still can as you say, backup keys, thus exporting the key pair completely from FF, which one can have different meaning about.
The complete keypair can be exported and imported where ever you want.

I have the key pair given on a floppy (private key there and the first public one) and in fact they were marked there as non exportable.
So I can import them everywhere, but not retrieve them completely, only delete.
I have also one key given on usb stick, but in this case the controller of the stick is set so, that there is no way to get the keypair out of the stick. In fact this is now the only way a qualified certificate is valid in switzerland.

Otto Sykora
Basel, Switzerland

rab040ma
Offline
Last seen: 5 months 9 hours ago
Joined: 2007-08-27 13:35
It seems to me that the

It seems to me that the "non-exportable" mark only makes sense (if it makes sense at all) when the private key & certificate are part of a security device. Hence the USB stick being able to designate the key that way.

Are all USB sticks in Switzerland able to lock up a certificate? Or just special ones for that purpose? What software is used with the certificate?

(Those of us in less technically advanced countries like to know such things. But maybe it is off topic, so ignore the question.)

MC

ottosykora
Offline
Last seen: 2 days 23 hours ago
Joined: 2007-10-11 17:48
is complex stuff

but
>It seems to me that the "non-exportable" mark only makes sense (if it makes sense at all) when the private key & certificate are part of a security device. Hence the USB stick being able to designate the key that way.Are all USB sticks in Switzerland able to lock up a certificate? Or just special ones for that purpose? What software is used with the certificate?

Otto Sykora
Basel, Switzerland

rab040ma
Offline
Last seen: 5 months 9 hours ago
Joined: 2007-08-27 13:35
The normal (and secure) way

The normal (and secure) way to get a certificate is to generate the keys locally, send the public key to a certificate authority (as a certificate request) and receive the certificate back, pairing it with the private key which never left your control. If some Czech Republic (or Swiss or US) firm sets up your certificate and includes the private key, what's to prevent them from keeping a copy of the private key? No, I don't think I'd want to use a certificate like that if I didn't have complete and sole control over the private key.

I'd expect that the USB devices have the private key locked away, but that the Certificate (and the Subject information it certifies) are created from a Certificate Request and copied back into the device.

FF(P) can export the Certificate, which doesn't have the private key. That is how one normally does it. Making a Backup is another function altogether. Yes it works the same in that you could restore into another software, but that's your choice. You certainly wouldn't give your backup out when people request your Certificate. Being able to make a backup is no more risky than having someone steal your desktop computer, or accidentally leaving your USB device somewhere. If they can guess your password, they'll have access to the private key in any of those situations.

I usually think of the "don't export" flag as being a way to assure that you'll have to buy another certificate if your computer breaks or you get a new one and there's no way to restore from a backup, or you need to use a certificate on more than one machine. In other words, it is more likely to make the Certificate Authority profitable than it is to keep your private key secure.

MC

ottosykora
Offline
Last seen: 2 days 23 hours ago
Joined: 2007-10-11 17:48
right

>

firm sets up your certificate and includes the private key, what's to prevent them from keeping a copy of the private key?I'd expect that the USB devices have the private key locked away, but that the Certificate (and the Subject information it certifies) are created from a Certificate Request and copied back into the device.I usually think of the "don't export" flag as being a way to assure that you'll have to buy another certificate if your computer breaks or you get a new one and there's no way to restore from a backup, or you need to use a certificate on more than one machine. In other words, it is more likely to make the Certificate Authority profitable than it is to keep your private key secure.

Otto Sykora
Basel, Switzerland

RMB Fixed
Offline
Last seen: 14 years 10 months ago
Joined: 2006-10-24 10:30
?????

Here is the OP's question :
"When I used FFP, very often "I get add certificate exception", nothing special about this, but all exceptions I did don't stay in firefox configuration.
Every time I go to these sites I have to redo the procedure for exception."

Is it just remotely conceivable that the reason for this behaviour is failure to
check the "make permanent exception" box ??

Log in or register to post comments