Add a private / custom Certificate Authority (CA) to the firefox trust store

The cacert root certificate is not included in Debian and Firefox, and is thus a good example of adding a private CA. Note that this does not mean we specifically endorse this CA, this is just an example.

$ gnutls-cli wiki.cacert.org:443
...
- Status: The certificate is NOT trusted. The certificate issuer is unknown. 
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.

$ wget http://www.cacert.org/certs/root_X0F.crt

$ gnutls-cli --x509cafile root_X0F.crt wiki.cacert.org:443
...
- Status: The certificate is trusted. 
...
- Handshake was completed
...

$ sudo cp root_X0F.crt /usr/local/share/ca-certificates/cacert-org-root-ca.crt
$ sudo update-ca-certificates --verbose
...
Adding debian:cacert-org-root-ca.pem
...

$ gnutls-cli wiki.cacert.org:443
... 
 - Status: The certificate is trusted.

However Firefox is using its own trust store and will still display a security error if connecting to https://wiki.cacert.org. To make firefox trust the Debian trust store, we need to add a so called ''security device'', in fact an extra library wrapping the Debian trust store. The library will wrap the Debian trust store in the PKCS#11 industry format, that Firefox supports.

$ sudo apt install p11-kit p11-kit-modules

$ trust list | grep --context 2 'CA Cert'
pkcs11:id=%16%B5%32%1B%D4%C7%F3%E0%E6%8E%F3%BD%D2%B0%3A%EE%B2%39%18%D1;type=cert
    type: certificate
    label: CA Cert Signing Authority
    trust: anchor
    category: authority

$ dpkg --listfiles p11-kit-modules | grep trust
/usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so

Then click “Load”, in the popup window use “My local trust” as a module name, and /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so as a module filename. After adding the module, you should see it in the list of Security Devices, having /etc/ssl/certs/ca-certificates.crt as a description.