Enter Password or Pin for "NSS Certificate DB"

[negbie]

Mby it's worth to give users who have a firefox master password a hint that they should enter this when they see "Enter Password or Pin for "NSS Certificate DB""

[adamdecaf]

@negbie Do you have an example of what this looks like to a user? Do they get a password prompt from certutil?

[kelvinj]

On mac, it looks like this:

Using the local CA at "/Users/kelvin/Library/Application Support/mkcert" ✨
Enter Password or Pin for "NSS Certificate DB":

[NicolasCARPi]

@adamdecaf Yes you get a password prompt, but I agree with @negbie, it is unclear what password is asked (until you google it and find this issue that is :p).

A better phrasing would be "Enter your Firefox master password:". :)

[adamdecaf]

I agree it's unclear, but the prompt comes from NSS's certutil not mkcert. I'm not sure if that prompt can be changed.

[NicolasCARPi]

@adamdecaf Then maybe mkcert can write a message just before: "You will be asked for your Firefox's master password now".

[adamdecaf]

Good call - Does this PR look ok? https://github.com/FiloSottile/mkcert/pull/100

[NicolasCARPi]

@adamdecaf LGTM :+1:

[adamdecaf]

"The part in quotes is the name of the PK11 token. Otherwise, certutil doesn't know what's calling it."

https://searchfox.org/mozilla-central/source/security/nss/cmd/lib/secutil.c#234

We might be relying on the name that firefox/chrome sets instead of an option we can change.

[cpicanco]

Sorry for this necropost. Just want to mention that, in my case, the default password was an empty string and

certutil -N -d ~/.pki/nssdb

allowed me to create a new password. Your actual directory might be different from mine.