KaarPux Package: certdata

Certificates for the Web. Originally for Mozilla Firefox, but used by others as well.

  • Bootstrap 8

CA Certificates

The Mozilla trusted Certification Authority (CA) certificates are used in KaarPux as trusted root certificates for Mozilla applications (e.g. KaarPux Package: firefox), but also for other applications, such as OpenSSL (KaarPux Package: openssl) and Java (KaarPux Package: openjdk-cacerts).

The certificates are found in a single file (certdata.txt) from Mozilla Network Security Services (NSS).

Certificate data is kept in /etc/ssl/certs.

The certdata.txt is processed by mk-ca-bundle.pl, which is a slightly modified version of curl mk-ca-bundle.pl, which creates ca-bundle.crt and *.pem files.

Additional CA Certificate

We also install the SPI CA root certificate from Software in the Public Interest.

This is used by e.g. alioth.debian.org. Note that this certificate is not automatically imported into e.g. KaarPux Package: firefox.

Certificates from Mozilla

It seems that the cannonical source for certificates in Mozilla is hg.mozilla.org/projects/nss. So this is where to look to understand why certain certificates have been included or excluded.

Apparently, the certdata.txt “moves” through the Mozilla trees as follows:

In KaarPux we generally pick the latest mozilla-release.


Browse to the tip of mozilla-release, to get the latest released version.

Select file next to certdata.txt.

You should now have a URL like http://hg.mozilla.org/mozilla-release/file/fe0b9a75b342/security/nss/lib/ckfw/builtins/certdata.txt, where the checkin like fe0b9a75b342 is the parameter you need to change for the version: in certdata.yaml


You may also want to verify, that there is no update to curl mk-ca-bundle.pl, newer than KaarPux mk-ca-bundle.pl



If the certdata package is updated, you must reinstall KaarPux Package: openjdk-cacerts.