1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
|
<?xml version="1.0" encoding="utf-8"?>
<!-- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"[
<!ENTITY % brandDTD SYSTEM "chrome://branding/locale/brand.dtd" >
%brandDTD;
]>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Certificate Manager</title>
<link rel="stylesheet" href="helpFileLayout.css"
type="text/css"/>
</head>
<body>
<div class="boilerPlate">This document is provided for your information only.
It may help you take certain steps to protect the privacy and security of
your personal information on the Internet. This document does not, however,
address all online privacy and security issues, nor does it represent a
recommendation about what constitutes adequate privacy and security
protection on the Internet.</div>
<h1 id="certificate_manager">Certificate Manager</h1>
<p>This section describes how to use the Certificate Manager. For more
information on using certificates, see <a href="using_certs_help.xhtml">Using
Certificates</a>.</p>
<p>If you are not currently viewing the Certificate Manager window, follow
these steps:</p>
<ol>
<li>Open the <span class="mac">&brandShortName;</span>
<span class="noMac">Edit</span> menu and choose Preferences.</li>
<li>Under the Privacy & Security category, click Certificates. (If no
subcategories are visible, double-click Privacy & Security to expand
the list.)</li>
<li>Click Manage Certificates.</li>
</ol>
<div class="contentsBox">In this section:
<ul>
<li><a href="#your_certificates">Your Certificates</a></li>
<li><a href="#people">People</a></li>
<li><a href="#servers">Servers</a></li>
<li><a href="#authorities">Authorities</a></li>
<li><a href="#others">Others</a></li>
</ul>
</div>
<h2 id="your_certificates">Your Certificates</h2>
<p>The Your Certificates tab in the <a href="#certificate_manager">Certificate
Manager</a> displays the certificates on file that identify you. Your
certificates are listed under the names of the organizations that issued
them. If you can't see certificate names under an organization's
name, double-click the name to expand it.</p>
<p>Use the following buttons to view and manage your certificates (most actions
require one or more certificates to be selected):</p>
<ul>
<li><strong>View</strong>: Display detailed information about the selected
certificates.</li>
<li><strong>Backup</strong>: Initiate the process of saving the selected
certificates. A window appears that allows you to choose a password to
protect the backup. You can then save the backup in a directory of your
choice.</li>
<li><strong>Backup All</strong>: Initiate the process of saving all the
certificates stored in the
<a href="glossary.xhtml#software_security_device">Software Security
Device</a>.
<p><strong>Note</strong>: Certificates on smart cards cannot be backed up.
Whether you select some of your certificates and click Backup, or click
Backup All, the resulting backup file will not include any certificates
stored on smart cards or other external security devices. You can only
back up certificates that are stored on the built-in Software Security
Device.</p>
</li>
<li><strong>Import</strong>: Import a file containing one or more
certificates that were previously backed up. When you click Import,
Certificate Manager first asks you to locate the file that contains the
backup. The names of certificate backup files typically end in
<tt>.p12</tt>; for example, <tt>MyCert.p12</tt>. After you select the file
to be imported, Certificate Manager asks you to enter the password that you
set when you backed up the certificate.</li>
<li><strong>Delete</strong>: Delete the selected certificates.</li>
</ul>
<h3 id="choose_a_certificate_backup_password">Choose a Certificate Backup
Password</h3>
<p>A certificate backup password protects one or more certificates that you are
backing up from the <a href="#your_certificates">Your Certificates</a> tab in
the Certificate Manager.</p>
<p>The Certificate Manager asks you to set this password when you back up
certificates, and requests it when you attempt to import certificates that
have previously been backed up.</p>
<ul>
<li><strong>Certificate backup password</strong>: Type your backup password
into this field.</li>
<li><strong>Certificate backup password (again)</strong>: Type your backup
password again. If you don't type it the second time exactly as you
did the first time, the OK button remains inactive. If this happens, try
typing the new password again.</li>
</ul>
<p>If someone obtains the file containing a certificate that you have backed up
and successfully imports the certificate, that person can send messages or
access websites while pretending to be you. This can be a problem, for
example, if you digitally sign important email messages or manage your bank
or investment accounts over the Internet.</p>
<p>Therefore, it's important to select a certificate backup password that
is difficult to guess. The <strong>password quality meter</strong> gives you
a rough idea of the quality of your password as you type it based on factors
such as length and the use of uppercase letters, lowercase letters, numbers,
and symbols. It does not guarantee that your password cannot be guessed,
however.</p>
<p>For further guidelines, see
<a href="passwords_help.xhtml#choosing_a_good_password">Choosing a Good
Password</a>.</p>
<p>It's also important to record the password in a safe place—and
not anywhere that's easily accessible to someone else. If you forget
this password, you can't import the backup of your certificate.</p>
<h3 id="delete_your_certificates">Delete Your Certificates</h3>
<p>Before deleting one of your own expired certificates from the
<a href="#your_certificates">Your Certificates</a> tab in the Certificate
Manager, make sure you won't need it again some day for reading old
email messages that you may have encrypted with the corresponding private
key.</p>
<h2 id="people">People</h2>
<p>The People tab in the <a href="#certificate_manager">Certificate Manager</a>
displays email certificates you have on file that identify other people.</p>
<p>When people send you digitally signed email messages, Certificate Manager
imports their certificates automatically. You can use these certificates to
send encrypted messages to those people.</p>
<p>Certificates that identify people are listed under the names of the
organizations that issued them. If you can't see certificate names under
an organization's name, double-click the name to expand it.</p>
<p>Use the following buttons to view and manage your certificates (most actions
require one or more certificates to be selected):</p>
<ul>
<li><strong>View</strong>: Display detailed information about the selected
certificates.</li>
<li><strong>Import</strong>: Import a file containing one or more
certificates. When you click Import, Certificate Manager first asks you
to locate the file that contains the certificate(s).</li>
<li><strong>Export</strong>: Export the selected certificates. You can
choose among various formats.</li>
<li><strong>Delete</strong>: Delete the selected certificates.</li>
</ul>
<h3 id="delete_email_certificates">Delete Email Certificates</h3>
<p>Before deleting someone else's certificate from the
<a href="#people">People</a> tab in the Certificate Manager, make sure you
won't need it again some day to send encrypted email to that person or
to verify digital signatures on messages from that person.</p>
<h2 id="servers">Servers</h2>
<p>The Servers tab in the Certificate Manager displays certificates you have
on file that identify servers (websites, mail servers).</p>
<p>Certificates that identify servers are grouped under the names of the
organizations that issued them. If you can't see certificate names under
an organization's name, double-click the name to expand it.</p>
<p>Use the following buttons to view and manage your certificates (most actions
require one or more certificates to be selected):</p>
<ul>
<li><strong>View</strong>: Display detailed information about the selected
certificates.</li>
<li><strong>Export</strong>: Export the selected certificates. You can
choose among various formats.</li>
<li><strong>Delete</strong>: Delete the selected certificates.</li>
<li><strong>Add Exception</strong>: Add a security exception for a server
(website, mail server) that identifies itself with invalid information.
This is an advanced feature, act with caution.</li>
</ul>
<h3 id="delete_website_certificates">Delete Website Certificates</h3>
<p>Before deleting a server certificate from the
<a href="#servers">Servers</a> tab in the Certificate Manager, make sure that
you won't need it again for the purposes of identifying a website or
mail server and setting up an encrypted connection.</p>
<h2 id="authorities">Authorities</h2>
<p>The Authorities tab in the <a href="#certificate_manager">Certificate
Manager</a> displays the certificates you have on file that identify
<a href="glossary.xhtml#certificate_authority">certificate authorities
(CAs)</a>.</p>
<p>CA certificates are grouped under the names of the organizations that issued
them. If you can't see certificate names under an organization's
name, double-click the name to expand it.</p>
<p>Use the following buttons to view and manage your certificates (most actions
require one or more certificates to be selected):</p>
<ul>
<li><strong>View</strong>: Display detailed information about the selected
certificates.</li>
<li><strong>Edit Trust</strong>: View or change the settings that Certificate
Manager associates with the selected certificates. You can use these
settings to designate what kinds of certificates, if any, you trust that
are issued by the corresponding CAs.</li>
<li><strong>Import</strong>: Import a file containing one or more
certificates. When you click Import, Certificate Manager first asks you
to locate the file that contains the certificate(s).</li>
<li><strong>Export</strong>: Export the selected certificates. You can
choose among various formats.</li>
<li><strong>Delete or Distrust</strong>: Delete the selected certificates.</li>
</ul>
<p>To ensure that an entire
<a href="glossary.xhtml#certificate_chain">certificate chain</a> of CAs are
all trusted, you need to edit the root CA certifiate only.</p>
<p>To import the chain, you click a link on a web page provided by the CA. You
can then use the authorities tab to locate the root certificate and edit its
trust settings.</p>
<p>The root and intermediate CAs all appear under the same organization. The
root certificate is the one that lists itself as the issuer.</p>
<p><strong>If you download an intermediate CA</strong>: If you download an
intermediate CA certificate that chains to a root certificate already marked
as trusted in your browser, you don't have to indicate what purposes you
trust it for. Intermediate certificates automatically inherit the trust
settings of their roots.</p>
<h3 id="edit_ca_certificate_trust_settings">Edit CA Certificate Trust
Settings</h3>
<p>When you select a CA certificate from the
<a href="#authorities">Authorities</a> tab in the Certificate Manager and
click Edit, you see a window entitled <q>Edit CA certificate trust
settings</q>. Here you specify the kinds of certificates you trust this CA
to certify. If you deselect all the checkboxes, Certificate Manager will not
trust any certificates issued by this CA.</p>
<p>The settings have these effects:</p>
<ul>
<li><strong>This certificate can identify websites</strong>: Certificate
Manager will trust certificates issued by this CA for the purpose of
identifying websites and encrypting website connections. If you deselect
this checkbox, Certificate Manager will not trust website certificates
issued by this CA.</li>
<li><strong>This certificate can identify mail users</strong>: Certificate
Manager will trust certificates issued by this CA for the purpose of
signing or encrypting email. If you deselect this checkbox, Certificate
Manager will not trust email certificates issued by this CA.</li>
<li><strong>This certificate can identify software makers</strong>:
Certificate Manager will trust certificates issued by this CA for the
purpose of identifying software makers. If you deselect this checkbox,
Certificate Manager will not trust such certificates issued by this
CA.</li>
</ul>
<p>Click OK to confirm the settings you have selected.</p>
<h3 id="delete_ca_certificates">Delete CA Certificates</h3>
<p>Before deleting a CA certificate from the
<a href="#authorities">Authorities</a> tab in the Certificate Manager,
make sure that you won't need it again to validate certificates issued
by that CA. If you delete the only valid certificate you have for a CA,
Certificate Manager will no longer trust any certificates issued by that
CA.</p>
<h2 id="others">Others</h2>
<p>The Others tab in the Certificate Manager displays certificates you have
on file that do not fit in any of the other categories, i.e. certificates
that neither belong to you, other people, servers or CAs.</p>
<p>Other certificates are grouped under the names of the organizations that
issued them. If you can't see certificate names under an
organization's name, double-click the name to expand it.</p>
<p>Use the following buttons to view and manage your certificates:</p>
<ul>
<li><strong>View</strong>: Display detailed information about the selected
certificates.</li>
<li><strong>Export</strong>: Export the selected certificates. You can
choose among various formats.</li>
<li><strong>Delete</strong>: Delete the selected certificates.</li>
</ul>
<h2 id="device_manager">Device Manager</h2>
<p>This section describes the options available in the Device Manager window.
For background information and step-by-step instructions on the use of the
Device Manager, see
<a href="using_certs_help.xhtml#managing_smart_cards_and_other_security_devices">Managing
Smart Cards and Other Security Devices</a>.</p>
<p>If you are not currently viewing the Device Manager window, follow these
steps:</p>
<ol>
<li>Open the <span class="mac">&brandShortName;</span>
<span class="noMac">Edit</span> menu and choose Preferences.</li>
<li>Under the Privacy & Security category, click Certificates. (If no
subcategories are visible, double-click Privacy & Security to expand
the list.)</li>
<li>In the Certificates panel, click Manage Security Devices.</li>
</ol>
<p>The Device Manager lists each available PKCS #11 module, and the security
devices managed by each module below the module's name.</p>
<p>When you select a module or device, information about the selected item
appears in the middle of the window, and some of the buttons on the right
side of the window become available. In general, you perform an action on
a module or device by selecting its name and clicking the appropriate
button:</p>
<ul>
<li><strong>Log In</strong>: Log into the selected security device. After you
have logged in to the device, the frequency with which you will be asked to
enter the master password for the device depends on the
<a href="passwords_help.xhtml#master_password_timeout">Master Password
Timeout</a> settings.</li>
<li><strong>Log Out</strong>: Log out of the selected security device. After
you have logged out of the device, the device and the certificates it
contains will not be available until you log in again.</li>
<li><strong>Change Password</strong>: Change the master password for the
selected security device.</li>
<li><strong>Load</strong>: Displays a dialog box that allows you to specify
the name and location of a new PKCS #11 module. Before adding a new module,
you should first install the module software on your computer and if
necessary connect any associated hardware device. Follow the instructions
provided by the vendor.</li>
<li><strong>Unload</strong>: Unload the selected module. If you unload a
module, both the module and its security devices are no longer available
for use by the browser.</li>
<li><strong>Enable FIPS</strong>: Turns the FIPS mode on and off. For more
information, see
<a href="using_certs_help.xhtml#enable_fips_mode">Enable FIPS
Mode</a>.</li>
</ul>
</body>
</html>
|