Firefox uses a file named cert8.db in the profile folder.

About profile folder files: Profiles - Where Firefox stores your bookmarks, passwords and other user data.

There is a tool you can use to programmatically add files to a cert8.db file but I've never tried it myself, so you probably would want to search around for tips from experienced users:

https://developer.mozilla.org/docs/Mozilla/Projects/NSS/Reference/NSS_tools_:_certutil

Thanks, but I know where my profile is. I want to know where the certificate store in it comes from. If I edit mine, I'm only changing my own settings. If I look for end edit all existing profiles, I'm only changing existing profiles. I want a brand-new user who logs in to get the certificates I want them to have.

hi, for some options to deploy this, please refer to https://wiki.mozilla.org/CA:AddRootToFirefox

Saw that. Doesn't help. Nothing in that article exposes where the store is, just mentions different tools that, presumably, "just know". The Javascript section comes the closest, but something like "@mozilla.org/security/x509certdb;1" is not a filesystem path... something tells Javascript what "@mozilla.org" is, but it sure doesn't tell me!

And on top of that, the link for CCK2 is bad.

See also:

• https://dxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/README
• https://mike.kaply.com/2015/02/10/installing-certificates-into-firefox/

Neither of those pages tell me where the default certificate store is.

I found these in a search, not sure if you already found them:

• http://superuser.com/questions/1151657/where-do-firefox-store-the-default-certificates (references "nssckbi.dll" which might different on Linux)
• http://forums.mozillazine.org/viewtopic.php?f=38&t=3002375 (how to deal with Firefox no longer having a default profile folder to store a modified cert8.db file)

Thanks. So... Mozilla has gone out of their way to hide and obfuscate this as much as possible. Wonderful. Sometimes it seems like developers forget about people using their software and just want to show off how clever they can be. And I've never understood why I should trust Chinese, Russian, Turkish, etc. CAs just because Google or Mozilla or Apple or Microsoft say I should.

I'm going to corner the Firefox folks at the next ScaLE and try to pry some answers or a commitment to change out of them :-)

While it might have been done this way just to make your life difficult, it's also possible that using a compiled file was to reduce the potential for tampering by bad actors.

On the larger question of what CAs to (dis)trust, there may be a mailing list for that: https://lists.mozilla.org/listinfo