Revision control

Copy as Markdown

Other Tools

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"[
<!ENTITY % brandDTD SYSTEM "chrome://branding/locale/brand.dtd" >
%brandDTD;
]>
<head>
<title>Using Certificates</title>
<link rel="stylesheet" href="helpFileLayout.css"
type="text/css"/>
</head>
<body>
<h1 id="using_certificates">Using Certificates</h1>
<p>A certificate is the digital equivalent of an ID card. Just as you may have
several ID cards for different purposes, such as a driver&apos;s license, an
employee ID card, or a credit card, you can have several different
certificates that identify you for different purposes.</p>
<p>This section describes how to perform operations related to
certificates.</p>
<div class="contentsBox">In this section:
<ul>
<li><a href="#getting_your_own_certificate">Getting Your Own
Certificate</a></li>
<li><a href="#checking_security_for_a_web_page">Checking Security for a Web
Page</a></li>
<li><a href="#managing_certificates">Managing Certificates</a></li>
<li><a href="#managing_smart_cards_and_other_security_devices">Managing
Smart Cards and Other Security Devices</a></li>
<li><a href="#managing_ssltls_warnings_and_settings">Managing SSL/TLS
Warnings and Settings</a></li>
<li><a href="#controlling_validation">Controlling Validation</a></li>
</ul>
</div>
<h1 id="getting_your_own_certificate">Getting Your Own Certificate</h1>
<p>Much like a credit card or a driver&apos;s license, a certificate is a form
of identification you can use to identify yourself over the Internet and
other networks. Like other commonly used personal IDs, a certificate is
typically issued by an organization with recognized authority to issue such
identification. An organization that issues certificates is called a
<strong>certificate authority (CA)</strong>.</p>
<p>You can obtain certificates that identify you from public CAs, from system
administrators or special CAs within your organization, or from websites
offering specialized services that require a means of identification more
reliable that your name and password.</p>
<p>Just as the requirements for a driver&apos;s license vary depending on the
type of vehicle you want to drive, the requirements for obtaining a
certificate vary depending on what you want to use it for. In some cases
getting a certificate may be as easy as going to a website, entering some
personal information, and automatically downloading the certificate into your
browser. In other cases you may have to go through more complicated
procedures.</p>
<p>You can obtain a certificate today by visiting the URL for a certificate
authority and following the on-screen instructions. For a list of certificate
authorities issuing certificates recognized by &brandShortName;, see the
online document
Certificate List</a>.</p>
<p>Once you obtain a certificate, it is automatically stored in a
<a href="glossary.xhtml#security_device">security device</a>. Your browser
comes with its own built-in Software Security Device. A security device can
also be a piece of hardware, such as a smart card.</p>
<p>Like a driver&apos;s license or a credit card, a certificate is a valuable
form of identification that can be abused if it falls into the wrong hands.
Once you&apos;ve obtained a certificate that identifies you, you should
protect it in two ways: by backing it up and by setting your
<a href="glossary.xhtml#master_password">master password</a>.</p>
<p>When you first obtain a certificate, you may be prompted to back it up. If
you haven&apos;t yet created a master password, you will be asked to create
one.</p>
<p>For detailed information about backing up a certificate and setting your
master password, see <a href="certs_help.xhtml#your_certificates">Your
Certificates</a>.</p>
<p>[<a href="#using_certificates">Return to beginning of section</a>]</p>
<h1 id="checking_security_for_a_web_page">Checking Security for a Web Page</h1>
<p>When you&apos;re viewing any web page, the lock icon near the lower-right
corner of the window informs you whether the entire contents of the page was
protected by <a href="glossary.xhtml#encryption">encryption</a> while it was
being received by your computer:</p>
<table summary="lock icons">
<tr>
<td><img alt="closed lock icon"
<td>A closed lock means that the page was protected by encryption when it
was received.</td>
</tr>
<tr>
<td><img alt="open lock icon"
<td>An open lock means the page was not protected by encryption when it was
received.</td>
</tr>
<tr>
<td><img alt="broken lock icon"
<td>A broken lock means that some or all of the elements within the page
were not protected by encryption when the page was received, even though
the outermost HTML page was encrypted.</td>
</tr>
</table>
<p>For more details about the encryption status of the page when it was
received, click the lock icon (or open the View menu, choose Page Info, and
click the Security tab).</p>
<p>The Security tab for Page Info provides two kinds of information:</p>
<ul>
<li>The top half describes whether the website displaying the page has been
verified. (For information on certificate verification, see
<a href="#controlling_validation">Controlling Validation</a>.)</li>
<li>The bottom half describes whether the contents of the page you are
viewing is protected by encryption while in transit over the network.</li>
</ul>
<p><strong>Important</strong>: The lock icon describes only the encryption
status of the page while it was being received by your computer. To be
notified when you send or receive information without encryption, or to
block potentially harmful mixed content, select the appropriate SSL/TLS
warning and mixed content options. See <a href="ssl_help.xhtml">Privacy &amp;
Security Preferences - SSL/TLS</a> for details.</p>
<p>[<a href="#using_certificates">Return to beginning of section</a>]</p>
<h1 id="managing_certificates">Managing Certificates</h1>
<p>You can use the Certificate Manager to manage the certificates you have
available. Certificates may be stored on your computer&apos;s hard disk or on
<a href="glossary.xhtml#smart_card">smart cards</a> or other security devices
attached to your computer.</p>
<p>To open the Certificate Manager:</p>
<ol>
<li>Open the <span class="mac">&brandShortName;</span>
<span class="noMac">Edit</span> menu and choose Preferences.</li>
<li>Under the Privacy &amp; Security category, click Certificates. (If no
subcategories are visible, double-click Privacy &amp; Security to expand
the list.)</li>
<li>In the Manage Certificates section, click Manage Certificates. You see
the Certificate Manager.</li>
</ol>
<div class="contentsBox">In this section:
<ul>
<li><a href="#managing_certificates_that_identify_you">Managing
Certificates that Identify You</a></li>
<li><a href="#managing_certificates_that_identify_people">Managing
Certificates that Identify People</a></li>
<li><a href="#managing_certificates_that_identify_servers">Managing
Certificates that Identify Servers</a></li>
<li><a href="#managing_certificates_that_identify_certificate_authorities">Managing
Certificates that Identify Certificate Authorities</a></li>
<li><a href="#managing_certificates_that_identify_others">Managing
Certificates that Identify Others</a></li>
</ul>
</div>
<h2 id="managing_certificates_that_identify_you">Managing Certificates that
Identify You</h2>
<p>When you first open the Certificate Manager, you&apos;ll notice that it has
several tabs across the top of its window. The first tab is called Your
Certificates, and it displays the certificates your browser or mail client
has available that identify you. Your certificates are listed under the names
of the organizations that issued them.</p>
<p>To perform an action on one or more certificates, click the entry for the
certificate (or <kbd class="mac">Cmd</kbd><kbd class="noMac">Ctrl</kbd>-click
to select more than one), then click one of the buttons at the bottom of the
Certificate Manager window. Each of these buttons brings up another window
that allows you to perform the action. Click the Help button in any window to
obtain more information about using that window.</p>
<p>For more details on how to view and manage these certificates, see
<a href="certs_help.xhtml#your_certificates">Your Certificates</a>.</p>
<p>[<a href="#managing_certificates">Return to beginning of section</a>]</p>
<h2 id="managing_certificates_that_identify_people">Managing Certificates that
Identify People</h2>
<p>When you compose a mail message, you can choose to attach your digital
signature to it. A <a href="glossary.xhtml#digital_signature">digital
signature</a> allows recipients of the message to verify that the message
really comes from you and hasn&apos;t been tampered with since you sent
it.</p>
<p>Every time you send a digitally signed message, your encryption certificate
is automatically included with the message. This certificate allows the
message recipients to send you encrypted messages.</p>
<p>One of the easiest ways to obtain someone else&apos;s encryption certificate
is for that person to send you a digitally signed message. Certificate
Manager automatically stores other people&apos;s certificates whenever they
are received in this way.</p>
<p>To view all the certificates identifying other people that are available to
the Certificate Manager, click the People tab at the top of the
Certificate Manager window. You can send encrypted messages to anyone for
whom a valid certificate is listed. Certificates are listed under the names
of the organizations that issued them.</p>
<p>To perform an action on one or more certificates, click the entry for the
certificate (or <kbd class="mac">Cmd</kbd><kbd class="noMac">Ctrl</kbd>-click
to select more than one), then click one of the buttons at the bottom of the
Certificate Manager window. Each of these buttons brings up another window
that allows you to perform the action. Click the Help button in any window to
obtain more information about using that window.</p>
<p>For more details on how to view and manage these certificates, see the
description of the Certificate Manager&apos;s
<a href="certs_help.xhtml#people">People</a> tab.</p>
<p>[<a href="#managing_certificates">Return to beginning of section</a>]</p>
<h2 id="managing_certificates_that_identify_servers">Managing Certificates
that Identify Servers</h2>
<p>Some websites and mail servers use certificates to identify themselves.
Such identification is required before the server can encrypt information
transferred between it and your computer (or vice versa), so that no one
can read the data while in transit.</p>
<p>If the URL for a website begins with <tt>https://</tt>, the website has a
certificate. If you visit such a website and its certificate was issued by a
CA that the Certificate Manager doesn&apos;t know about or doesn&apos;t
trust, you will be asked whether you want to accept the website&apos;s
certificate. When you accept a new website certificate, the Certificate
Manager adds it to its list of website certificates.</p>
<p>To view all the website certificates available to your browser, click the
Servers tab at the top of the Certificate Manager window.</p>
<p>To perform an action on one or more certificates, click the entry for the
certificate (or <kbd class="mac">Cmd</kbd><kbd class="noMac">Ctrl</kbd>-click
to select more than one), then click one of the buttons at the bottom of the
Certificate Manager window. Each of these buttons brings up another window
that allows you to perform the action. Click the Help button in any window to
obtain more information about using that window.</p>
<p>For more details on how to view and manage these certificates, see the
description of the Certificate Manager&apos;s
<a href="certs_help.xhtml#servers">Servers</a> tab.</p>
<p>[<a href="#managing_certificates">Return to beginning of section</a>]</p>
<h2 id="managing_certificates_that_identify_certificate_authorities">Managing
Certificates that Identify Certificate Authorities</h2>
<p>Like other commonly used forms of ID, a certificate is issued by an
organization with recognized authority to issue such identification. An
organization that issues certificates is called a
<a href="glossary.xhtml#certificate_authority">certificate authority
(CA)</a>. A certificate that identifies a CA is called a CA certificate.</p>
<p>Certificate Manager typically has many CA certificates on file. These CA
certificates permit Certificate Manager to recognize and work with
certificates issued by the corresponding CAs. However, the presence of a CA
certificate in this list does <em>not</em> guarantee that the certificates it
issues can be trusted. You or your system administrator must make decisions
about what kinds of certificates to trust depending on your security
needs.</p>
<p>To view all the CA certificates available to your browser, click the
Authorities tab at the top of the Certificate Manager window.</p>
<p>To perform an action on one or more CA certificates, click the entry for the
certificate (or <kbd class="mac">Cmd</kbd><kbd class="noMac">Ctrl</kbd>-click
to select more than one), then click one of the buttons at the bottom of the
Certificate Manager window. Each of these buttons brings up another window
that allows you to perform the action. Click the Help button in any window to
obtain more information about using that window.</p>
<p>For more details on how to view and manage these certificates, see the
description of the Certificate Manager&apos;s
<a href="certs_help.xhtml#authorities">Authorities</a> tab.</p>
<p>[<a href="#managing_certificates">Return to beginning of section</a>]</p>
<h2 id="managing_certificates_that_identify_others">Managing Certificates that
Identify Others</h2>
<p>To see all certificates that do not fit into any of the other categories,
click the Others tab at the top of the Certificate Manager window.</p>
<p>For more details on how to view and manage these certificates, see the
description of the Certificate Manager&apos;s
<a href="certs_help.xhtml#others">Others</a> tab.</p>
<p>[<a href="#managing_certificates">Return to beginning of section</a>]</p>
<h1 id="managing_smart_cards_and_other_security_devices">Managing Smart Cards
and Other Security Devices</h1>
<p>A smart card is a small device, typically about the size of a credit card,
that contains a microprocessor and is capable of storing information about
your identity (such as your <a href="glossary.xhtml#private_key">private
keys</a> and <a href="glossary.xhtml#certificate">certificates</a>) and
performing cryptographic operations.</p>
<p>To use a smart card, you typically need to have a smart card reader (a piece
of hardware) attached to your computer, as well as software on your computer
that controls the reader.</p>
<p>A smart card is just one kind of security device. A security device
(sometimes called a token) is a hardware or software device that provides
cryptographic services and stores information about your identity. Use the
Device Manager to work with smart cards and other security devices.</p>
<div class="contentsBox">In this section:
<ul>
<li><a href="#about_security_devices_and_modules">About Security Devices
and Modules</a></li>
<li><a href="#using_security_devices">Using Security Devices</a></li>
<li><a href="#using_security_modules">Using Security Modules</a></li>
<li><a href="#enable_fips_mode">Enable FIPS Mode</a></li>
</ul>
</div>
<h2 id="about_security_devices_and_modules">About Security Devices and
Modules</h2>
<p>The Device Manager displays a window that lists the available security
devices. You can use the Device Manager to manage any security devices,
including smart cards, that support the Public Key Cryptography Standard
(PKCS) #11.</p>
<p>A <a href="glossary.xhtml#pkcs_11_module">PKCS #11 module</a> (sometimes
called a security module) controls one or more security devices in much the
same way that a software driver controls an external device such as a printer
or modem. If you are installing a smart card, you must install the PKCS #11
module for the smart card on your computer as well as connecting the smart
card reader.</p>
<p>By default, the Device Manager controls two internal PKCS #11 modules that
manage three security devices:</p>
<ul>
<li><strong>&brandShortName; Internal PKCS #11 Module</strong>: Controls two
security devices:
<ul>
<li><strong>Generic Crypto Services</strong>: A special security device
that performs all cryptographic operations required by the
&brandShortName; Internal PKCS #11 Module.</li>
<li><strong>Software Security Device</strong>: Stores your certificates
and keys that aren&apos;t stored on external security devices,
including any CA certificates that you may have installed in addition
to those that come with the browser.</li>
</ul>
</li>
<li><strong>Builtin Roots Module</strong>: Controls a special security device
called the Builtin Object Token. This security device stores the default
<a href="glossary.xhtml#ca_certificate">CA certificates</a> that come with
the browser.</li>
</ul>
<p>[<a href="#managing_smart_cards_and_other_security_devices">Return to
beginning of section</a>]</p>
<h2 id="using_security_devices">Using Security Devices</h2>
<p>The Device Manager allows you to perform operations on security devices. To
open the Device Manager, follow these steps:</p>
<ol>
<li>Open the <span class="mac">&brandShortName;</span>
<span class="noMac">Edit</span> menu and choose Preferences.</li>
<li>Under the Privacy &amp; Security category, click Certificates. (If no
subcategories are visible, double-click Privacy &amp; Security to expand
the list.)</li>
<li>In the Certificates panel, click Manage Security Devices.</li>
</ol>
<p>The Device Manager lists each available PKCS #11 module in boldface, and the
security devices managed by each module below its name.</p>
<p>When you select a security device, information about it appears in the
middle of the Device Manager window, and some of the buttons on the right
side of the window become available. For example, if you select the Software
Security Device, you can perform these actions:</p>
<ul>
<li>Click Login or Logout to log in or out of the Software Security Device.
If you are logging in, you will be asked to supply the master password for
the device. You must be logged into a security device before your browser
software can use it to provide cryptographic services.</li>
<li>Click Change Password to change the master password for the device.</li>
</ul>
<p>You can perform these actions on most security devices. However, you cannot
perform them on the Builtin Object Token or Generic Crypto Services, which
are special devices that must normally be available at all times.</p>
<p>For more details, see <a href="certs_help.xhtml#device_manager">Device
Manager</a>.</p>
<p>[<a href="#managing_smart_cards_and_other_security_devices">Return to
beginning of section</a>]</p>
<h2 id="using_security_modules">Using Security Modules</h2>
<p>If you want to use a smart card or other external security device, you must
first install the module software on your computer and, if necessary, connect
any associated hardware. Follow the instructions that come with the
hardware.</p>
<p>After a new module is installed on your computer, follow these steps to load
it:</p>
<ol>
<li>Open the <span class="mac">&brandShortName;</span>
<span class="noMac">Edit</span> menu and choose Preferences.</li>
<li>Under the Privacy &amp; Security category, click Certificates. (If no
subcategories are visible, double-click Privacy &amp; Security to expand
the list.)</li>
<li>In the Certificates panel, click Manage Security Devices.</li>
<li>Click Load.</li>
<li>In the Load PKCS #11 Module dialog box, click the Browse button, locate
the module file, and click Open.</li>
<li>Fill in the Module Name field with the name of the module and click
OK.</li>
</ol>
<p>The new module will then show up in the list of modules with the name you
assigned to it.</p>
<p>To unload a PKCS #11 module, select its name and click Unload.</p>
<p>[<a href="#managing_smart_cards_and_other_security_devices">Return to
beginning of section</a>]</p>
<h2 id="enable_fips_mode">Enable FIPS Mode</h2>
<p>Federal Information Processing Standards Publications (FIPS PUBS) 140-1 is a
US government standard for implementations of cryptographic
modules&mdash;that is, hardware or software that encrypts and decrypts data
or performs other cryptographic operations (such as creating or verifying
digital signatures). Many products sold to the US government must comply with
one or more of the FIPS standards.</p>
<p>To enable FIPS mode for the browser, you use the Device Manager:</p>
<ol>
<li>Open the <span class="mac">&brandShortName;</span>
<span class="noMac">Edit</span> menu and choose Preferences.</li>
<li>Under the Privacy &amp; Security category, click Certificates. (If no
subcategories are visible, double-click Privacy &amp; Security to expand
the list.)</li>
<li>In the Certificates panel, click Manage Devices.</li>
<li>Click the Enable FIPS button. When FIPS is enabled, the name NSS Internal
PKCS #11 Module changes to NSS Internal FIPS PKCS #11 Module and the Enable
FIPS button changes to Disable FIPS.</li>
</ol>
<p>To disable FIPS-mode, click Disable FIPS.</p>
<p>[<a href="#managing_smart_cards_and_other_security_devices">Return to
beginning of section</a>]</p>
<h1 id="managing_ssltls_warnings_and_settings">Managing SSL/TLS Warnings and
Settings</h1>
<p>The Secure Sockets Layer (SSL) protocol allows your computer to exchange
information with other computers on the Internet in encrypted form&mdash;that
is, the information is scrambled while in transit so that no one else can
make sense of it. SSL is also used to identify computers on the Internet by
means of <a href="glossary.xhtml#certificate">certificates</a>.</p>
<p>The Transport Layer Security (TLS) protocol is a new standard based on SSL.
The old SSL versions have been deprecated for security reasons and TLS is the
only supported protocol. The default set of enabled TLS versions works for
most people with current servers. However, in some circumstances system
administrators or other knowledgeable persons may wish to adjust the SSL/TLS
settings to fine-tune them for special security needs or to account for
limited capabilities of some legacy servers.</p>
<p>You shouldn&apos;t adjust the SSL/TLS settings for your browser unless you
know what you&apos;re doing or have the assistance of someone else who does.
If you do need to adjust them for some reason, follow these steps:</p>
<ol>
<li>Open the <span class="mac">&brandShortName;</span>
<span class="noMac">Edit</span> menu and choose Preferences.</li>
<li>Under the Privacy &amp; Security category, select SSL/TLS. (If no
subcategories are visible, double-click Privacy &amp; Security to expand
the list.)</li>
</ol>
<p>For more details, see <a href="ssl_help.xhtml">SSL/TLS Settings</a>.</p>
<p>[<a href="#using_certificates">Return to beginning of section</a>]</p>
<h1 id="controlling_validation">Controlling Validation</h1>
<p>As discussed above under <a href="#getting_your_own_certificate">Get Your
Own Certificate</a>, a certificate is a form of identification, much like a
driver&apos;s license, that you can use to identify yourself over the
Internet and other networks. However, also like a driver&apos;s license, a
certificate may expire or become invalid for some other reason. Therefore,
your browser software needs to confirm the validity of any given certificate
in some way before trusting it for identification purposes.</p>
<p>This section describes how Certificate Manager validates certificates and
how to control that process. To understand the process, you should have some
familiarity with <a href="glossary.xhtml#public-key_cryptography">public-key
cryptography</a>. If you are not familiar with the use of certificates, you
should check with your system administrator before attempting to change any
of your browser&apos;s certificate validation settings.</p>
<div class="contentsBox">In this section:
<ul>
<li><a href="#how_validation_works">How Validation Works</a></li>
<li><a href="#configuring_ocsp">Configuring OCSP</a></li>
</ul>
</div>
<h2 id="how_validation_works">How Validation Works</h2>
<p>Whenever you use or view a certificate stored by Certificate Manager, it
takes several steps to verify the certificate. At a minimum, it confirms that
the CA&apos;s digital signature on the certificate was created by a CA whose
own certificate is (1) present in the Certificate Manager&apos;s list of
available CA certificates and (2) marked as trusted for issuing the kind of
certificate being verified.</p>
<p>If the CA certificate is not itself present, the
<a href="glossary.xhtml#certificate_chain">certificate chain</a> for the CA
certificate must include a higher-level CA certificate that is present and
correctly trusted. Certificate Manager also confirms that the certificate
being verified is currently marked as trusted in the certificate store. If
any one of these checks fails, Certificate Manager marks the certificate as
unverified and won&apos;t recognize the identity it certifies.</p>
<p>A certificate can pass all these tests and still be compromised in some way;
for example, the certificate may be revoked because an unauthorized person
has gained access to the certificate&apos;s private key. A compromised
certificate can allow an unauthorized person (or website) to pretend to be
the certificate owner.</p>
<p>One way to combat this threat would be for Certificate Manager to check a
previously downloaded certificate revocation list (CRL) as part of the
verification process. However, those lists may be large and need to be
updated frequently in order to remain current and thus useful.</p>
<p>The preferred way to combat the threat of compromised certificates is to use
a special server that supports the Online Certificate Status Protocol (OCSP).
Such a server can answer client queries about individual certificates (see
<a href="#configuring_ocsp">Configuring OCSP</a>, below).</p>
<p>The server, called an OCSP responder, receives an updated CRL periodically
from the CA that issues the certificates to be verified. You can configure
Certificate Manager to submit a status request for a certificate to the OCSP
responder, and the OCSP responder confirms whether the certificate is
valid.</p>
<p>[<a href="#controlling_validation">Return to beginning of section</a>]</p>
<h2 id="configuring_ocsp">Configuring OCSP</h2>
<p>The settings that control OCSP are part of Certificates preferences. To view
Certificates preferences, follow these steps:</p>
<ol>
<li>Open the <span class="mac">&brandShortName;</span>
<span class="noMac">Edit</span> menu and choose Preferences.</li>
<li>Under the Privacy &amp; Security category, click Certificates. (If no
subcategories are visible, double-click Privacy &amp; Security to expand
the list.)</li>
</ol>
<p>For information about the OCSP options available, see
<a href="certs_prefs_help.xhtml#ocsp">Privacy &amp; Security Preferences -
Certificates, OCSP</a>.</p>
<p>[<a href="#controlling_validation">Return to beginning of section</a>]</p>
</body>
</html>