I thought by adding certificates to /etc/ssl/certs they would automatically be used in browsers and mail clients. How much wronger can you be...
- Mozilla uses libnss, which brings its own list of trusted certificates in /usr/lib/firefox/libnssckbi.so (see bug #316436)
- KDE comes with its own certificates kdelibs5-data: /usr/share/kde4/apps/kssl/ca-bundle.crt
- Seems that Kleopatra only works on stuff under ~/.gnupg and ignores /etc/ssl/certs ? Kleopatra and KMail use gpgsm for S/MIME?
gpgsm seems to come with an empty trust list? https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/273625
KDE SSL bug https://bugs.kde.org/show_bug.cgi?id=162485
Fedora is working to consolidate Cryptography: https://fedoraproject.org/wiki/FedoraCryptoConsolidation
The matter has also been discussed on debian-devel without a conclusion: http://lists.debian.org/debian-devel/2011/04/msg01062.html
This might work to make ca-certificates available in KDE apps? (source)
# dpkg-divert --local --rename --add /usr/share/kde4/apps/kssl/ca-bundle.crt # ln -s /etc/ssl/certs/ca-certificates.crt /usr/share/kde4/apps/kssl/ca-bundle.crt
Related to this is also global setting of other cryptographic settings, see CryptoPolicy for suggestions.