To set certificate options, start by going to Tools | Options | Advanced and then selecting Certficates. The Options screen with the Certificates option is shown in Figure F-1.
Figure F-1. The Options screen with the Certificates option displayed.
Client Certificate Selection
As you can see from Figure F-1, the Certificates option has several features. The first, Client Certificate Selection, allows you to specify the certificate to use. By default, when Firefox and a website create a secure connection, Firefox automatically uses the appropriate certificate to identify you, as requested by the website. However, if you check Ask Every Time, you can tell Firefox which certificate to use, which lets you set the security level or use a certificate with specific information.
You can view stored certificates, import new ones, or back up and delete certificates using the Certificate Manager. Click Manage Certificates to display the Certificate Manager screen (shown in Figure F-2).
Figure F-2. The Certificate Manager screen showing the Your Certificates tab.
Firefox lists any certificates you have. You can use this screen to view certificates, back up all or selected certificates, and import or delete certificates. You can adjust the certificate display by clicking the icon at the end of the row of headings. From here, you can select which columns of information you wish to have appear.
You can view certificate information by highlighting the certificate you want to look at and clicking View. The Certificate Viewer (shown in Figure F-3) displays information about the selected certificate.
Figure F-3. The Certificate Viewer showing general information about a certificate.
If you don't feel like you're getting enough information on the General tab, you can display the Details tab. You can select individual elements of the certificate and display just those details on this screen. Figure F-4 shows an example of this.
Figure F-4. The Certificate Viewer showing detailed information about a certificate.
As with any other data, it's a very good idea to back up your certificates as a precaution against disk crashes and data corruption. To back up a certificate, highlight the certificate you want to back up and click Backup. In the standard dialog box, enter the filename and directory to back up the certificate to and click OK. The Choose a Certificate Backup Password screen appears. Enter a password for the certificate backupyou don't want just anyone to be able to use this, after alland then enter it again. As with the master password screen (shown in Chapter 2, Firefox rates the quality of your password on the password quality meter. An example appears in Figure F-5. After you click OK to complete the process, Firefox displays a small alert that tells you you've successfully backed up your certificates and private keys.
Figure F-5. The Choose a Certificate Backup Password screen.
If you need to restore a certificate that was previously backed up or you just want to install the certificate on another computer, click Import and open the certificate file using a standard open dialog box. When you click OK, you need to enter the certificate's backup password. Then Firefox imports the certificate information and updates the certificate list as necessary.
Finally, you can delete a certificate by highlighting the certificate and then clicking Delete and confirming the deletion.
If you have specifically requested certificates from other people, they'll show up on the Other People's tab (shown in Figure F-6). As with the preceding tab, you can view, edit, import, or delete certificates from this screen as well as change the column headings that appear in the table. Chances are very good that you'll never need to use this tab.
Figure F-6. The Certificate Manager screen showing the Other People's tab.
You can also have certificates for individual websites. These appear on the Web Sites tab, shown in Figure F-7. When you're downloading information from various websites and you encounter certificates, they'll show up in this screen. You won't see any certificates in this screen at first.
Figure F-7. The Certificate Manager screen showing the Web Sites tab.
As well as the usual view, import, and delete features, you can edit the certificate's information to tell Firefox if you trust the certificate. Highlight the certificate and click Edit to display the Edit web site certificate trust settings screen, shown in Figure F-8.
Figure F-8. The Edit web site certificate trust settings screen.
In this screen, you can tell Firefox to trust or not trust the authenticity of the certificate. If you trust the certificate, Firefox will subsequently access the website the certificate is for with no problems. If you do not trust the certificate, Firefox will display warning messages about the website the next time you visit it. If you don't trust the CA itself, you can click Edit CA Trust and edit the trust settings for the CA, as shown in a moment in Figure F-10.
Figure F-10. The Edit CA certificate trust settings screen.
The other tab on this screen that will have a lot of activity is the Authorities tab, shown in Figure F-9. The Authorities tab shows the CAs from whom you have accepted certificates. As with the other tabs, you can view, edit, import, or delete certificates and tweak the column display.
Figure F-9. The Certificate Manager screen showing the Authorities tab.
While you can delete a CA from this list, be really sure that you won't have a need for the information again. Once you delete a CA, Firefox won't trust any certificates issued by that CA.
You may also want to edit a certificate's trust settings to tell Firefox what you trust the CA to certify. Highlight the certificate and click Edit. The Edit CA certificate trust settings screen appears, as shown in Figure F-10. (You can also see this screen if you click Edit CA Trust on the Edit Website Certificate Trust Settings screen, shown earlier in Figure F-8.)
Although the default is for CAs to have authority to identify websites, mail users, and software makers, you may feel less confident about the authority and can specify that you trust the CA's certificates for websites and software makers, but not for mail users. Click OK to save any edits.
Manage Security Devices
The final selection for the Certificates option is for managing security devices. You can have a security device to store certificates and passwords as well as to encrypt and decrypt information. Click Manage Security Devices to display the Device Manager, as shown in Figure F-11.
Figure F-11. The Device Manager screen.
The Device Manager lets you identify security devices: any hardware and/or software device that stores information about you and your identity and that uses certificates and private keys to verify access. The security devices that the Device Manager can work with must also use the Public Key Cryptography Standard #11 (similar to the PKCS12 standard for certificate files). Smart cards are the most common type of security device, but there are many others for specialized applications.
Figure F-11 shows the standard Firefox PKCS#11 module. You can think of modules as security device software drivers that tell Firefox how to interact with a security device. The NSS Internal FIPS module is a general module used for general security device data encryption and decryption and is a place for any software security device certificates.
Any security device you install will have its own software. When the device has been installed, you'll need to install the module in Firefox so that Firefox can communicate with it. Click Load to display the Load PCKS#11 Device screen, shown in Figure F-12.
Figure F-12. The Load PKCS#11 Device screen.
Browse for the module file, and then click OK to install it. When the installation is complete, the module appears in the list of security devices. You can remove a module from the list by highlighting the module and clicking Unload.
To further configure the security device, you'll probably need to log in to it through the Device Manager. Highlight the module or the device and click Log In, and then go through the login procedure. When you're done, be sure to click Log Out to prevent unauthorized access to the device.
By default, the standard modules in the Device Manager are already enabled for FIPS: Federal Information Processing Standards 140-1. FIPS is a U.S. government standard for data encryption and decryption. Many, but not all, security devices use FIPS. You can enable or disable FIPS for a module by highlighting the module and clicking Enable FIPS or Disable FIPS.