Installing self-signed SSL certificates on Firefox OS

Posted at 19 May 2014
Tags: firefoxOS, ssl

Mozilla’s mobile operating system Firefox OS unfortunately does not allow to trust self-signed SSL certificates. This is bad news if you run your own Email- and/or CalDAV server and want to access those services with your Firefox-driven phone. It will give up connecting with a “bad security” failure. Fortunately, it is possible to incorporate your certificates manually and work around this “security feature” (or limitation – depending on your point of view).


We will need adb (Android Debug Bridge) which is included in the Android SDK, and the Mozilla NSS Security Tools. The former is for communication and shell access to the phone and the latter for modifiying the certificate databases. NSS tools can be installed on OS X via MacPorts or Homebrew (package “nss”), or as “libnss3-tools” on Debian systems.

We should create the folders “import” and “backup” for later use. All your self-signed certificates (“.pem”-files), that will later be added to the phone’s certificate database, should be copied to the folder “import”.

Downloading the certificate database files

We determine the full path to the user profile on the phone with the following command:

adb shell "ls -d /data/b2g/mozilla/*.default"

It will give us something like “/data/b2g/mozilla/XYZ.default/”. Now we download the follwing files from our phone:

adb pull /data/b2g/mozilla/XYZ.default/cert9.db .
adb pull /data/b2g/mozilla/XYZ.default/key4.db .
adb pull /data/b2g/mozilla/XYZ.default/pkcs11.txt .

Make a backup of these files:

cp {cert9.db,key4.db,pkcs11.txt} backup/

Adding the self-signed certificates

The password for the downloaded certificate database needs to be cleared by calling the following command and leaving the password blank:

nss-certutil -d 'sql:.' -N

Now the for all “.pem” certificate files in the “import” directory, the database files will be updated and the certificates will be added:

for i in import/*.pem; do nss-certutil -d 'sql:.' -A -n "`basename $i`" -t "C,C,TC" -i $i; done

Important: Note that instead of nss-certutil, the command might also be called certutil.

Copying the new certificate database to the phone

At first, the OS on the phone needs to be stopped: adb shell stop b2g. Then the updated database files will be copied to the phone:

adb push cert9.db /data/b2g/mozilla/XYZ.default/
adb push key4.db /data/b2g/mozilla/XYZ.default/ 
adb push pkcs11.txt /data/b2g/mozilla/XYZ.default/

Firefox OS can be started again (adb shell start b2g) and now the added self-signed certificates will be recognized as valid certificates.

This is based on the information I found in Carmen Cabazas’ post in the Mozilla developer group.

If you spotted a mistake or want to comment on this post, please contact me: post(-at-)mkonrad(-dot-)net.
← “My master's thesis is online
View all posts
Slow connection using apt-get with ufw and IPv6” →