That would be a RFE:
FF and ESC are 2 different applications that use their own NSS database.
On Linux, ESC uses ~/.redhat/esc/<string>.<profile-name>/ for its NSS database path.
FF uses ~/.mozilla/firefox/<string>.<profile-name>/

Created attachment 439220 [details]
ESC portion of patch to address issue

Created attachment 439222 [details]
New ESC file for this issue.

Created attachment 439227 [details]
TPS portion of fix to issue.

Created attachment 439228 [details]
New TPS file for this issue.

Created attachment 439241 [details]
Makefile changes for TPS portion of fix.

Created attachment 439829 [details]
ESC Windows Installer fix for this issue.

This patch provides enhancement to the ESC Windows Installer to make it easier to change ESC's configuration parameters at install time through simple command line parameters.

The addressing if this issue will come in a two way approach:

1. Provide a relatively simple means by which the user of ESC can be given the chance to download and install the CA Certificate Trust Chain.

- TPS will support an optional URL value to be sent back to the client during it's phone home process. This URL will then allow the client to be passed through to the CA's facility to download and trust the CA Cert chain. The optional change to the file "/usr/lib/pki-tps/cgi-bin/home/index.cgi will look like as follows:

print "Content-type: text/xml\n\n";
print "<\?xml version=\"1.0\" encoding=\"UTF-8\"\?>";
print "<ServiceInfo>";
print "<IssuerName>";
print "Fedora Project";   # Vendor
print "</IssuerName>\n";
print "<Services>";
print "<Operation>";
print "http://test.host.com:7888/nk_service";
print "</Operation>";
print "<UI>";
print "http://test.host.com:7888/cgi-bin/home/enroll.cgi";
print "</UI>";
print "<EnrolledTokenBrowserURL>";
print "http://www.fedora.redhat.com";   # Company URL
print "</EnrolledTokenBrowserURL>";
print "<EnrolledTokenURL>";
print "</EnrolledTokenURL>";
print "<TokenType>";
print "userKey";
print "</TokenType>";
#print "<CAChainUI>";
#print "http://test.host.com:7888/cgi-bin/home/cachain.cgi";
#print "</CAChainUI>";
print "</Services>";
print "</ServiceInfo>";

The commented out lines above can be activated so the latest ESC can obtain the URL and make use of it. Note the http port must be used or ESC can not even get to the new URL.

- A new cgi perl script called "cachain.cgi" will be there to actually make sure the client gets access to the CA's servlet that downloads and trusts the cert chain.

2. The esc client already supports the following preference:

esc.global.alt.nss.db=<path to another db to trust>

- This allows the user of ESC to take advantage to all the cert trust relationships already contained in this alternate NSS database. This has already been used in the field.

- The simple improvement here is that now the Windwos ESC installer will support a means to accept custom command line switches as follows:

./esc-intaller.exe /EscConfig=esc.global.alt.nss.db=c:\common-nss-db

- Note that this command line switch can be used multiple times with different values to set other ESC perferences.

- The end result is once ESC is intalled on the Windows system, the file "esc/defaults/preferences/esc-prefs.js will have the desired values set as requested by the command line parameters discussed above.

- Usage Example:

./SmartCardManagerSetup-1.1.0-11.win32.exe /EscConfig=esc.global.alt.nss.db=c:\common-nss-db /EscConfig=esc.test.boolean.pref=fals

attachment 439220 [details]
attachment 439222 [details]
attachment 439227 [details]
attachment 439228 [details]
attachment 439241 [details]
attachment 439829 [details] +mharmsen

Checkins ESC:

Checking in setup.iss;
/cvs/dirsec/esc/win32/setup.iss,v  <--  setup.iss
new revision: 1.16; previous revision: 1.15
done
Running syncmail...
Mailing relnotes@fedoraproject.org...
...syncmail done.
Running syncmail...
Mailing cvsdirsec@fedoraproject.org...
...syncmail done.

Checking in src/app/xul/esc/chrome/content/esc/ESC.js;
/cvs/dirsec/esc/src/app/xul/esc/chrome/content/esc/ESC.js,v  <--  ESC.js
new revision: 1.33; previous revision: 1.32
done
Running syncmail...
Mailing relnotes@fedoraproject.org...
...syncmail done.
Running syncmail...
Mailing cvsdirsec@fedoraproject.org...
...syncmail done.
Checking in src/app/xul/esc/chrome/locale/en-US/esc.dtd;
/cvs/dirsec/esc/src/app/xul/esc/chrome/locale/en-US/esc.dtd,v  <--  esc.dtd
new revision: 1.8; previous revision: 1.7
done
Running syncmail...
Mailing relnotes@fedoraproject.org...
...syncmail done.
Running syncmail...
Mailing cvsdirsec@fedoraproject.org...
...syncmail done.
Checking in src/app/xul/esc/defaults/preferences/esc-prefs.js;
/cvs/dirsec/esc/src/app/xul/esc/defaults/preferences/esc-prefs.js,v  <--  esc-pr
efs.js
new revision: 1.8; previous revision: 1.7
done
Running syncmail...
Checking in getcachain.xul;
/cvs/dirsec/esc/src/app/xul/esc/chrome/content/esc/getcachain.xul,v  <--  getcac
hain.xul
initial revision: 1.1
done
Mailing relnotes@fedoraproject.org...
...syncmail done.
Running syncmail...
Mailing cvsdirsec@fedoraproject.org...
...syncmail done.

Checkins: TPS:

Branch:

svn commit -m "Fix Bug 497931 - CS 8.0 -- Have to download and stall the trust chain through ESC even if it was already installed in the browser."
Enter passphrase for key '/home/jmagne/.ssh/id_rsa': 
Sending        base/tps/Makefile.am
Sending        base/tps/Makefile.in
Adding         base/tps/forms/esc/cgi-bin/home/cachain.cgi
Sending        base/tps/forms/esc/cgi-bin/home/index.cgi
Transmitting file data ....
Committed revision 1234.

Trunk:

svn commit -m "Fix Bug 497931 - CS 8.0 -- Have to download and stall the trust chain through ESC even if it was already installed in the browser." Makefile.am Makefile.in

Sending        Makefile.am
Sending        Makefile.in
Transmitting file data ..
Committed revision 1235.

svn commit -m "Fix Bug 497931 - CS 8.0 -- Have to download and stall the trust chain through ESC even if it was already installed in the browser."
Enter passphrase for key '/home/jmagne/.ssh/id_rsa': 
Adding         forms/esc/cgi-bin/home/cachain.cgi
Sending        forms/esc/cgi-bin/home/index.cgi
Transmitting file data ..
Committed revision 1236.

Feature can be tested with the next build of TPS and the next Windows build of ESC.

Tested case #1 in the comment 11 on a Win XP 32 machine with ESC-1.1.0-12. Burning a phone home url throws error "The file chrome://esc/content/getchain.xul cannot be found. Please check the location and try again".

Jack looked into the issue, the file is missing - need a ESC build respin with this fix.

Local respin confirmed the simple problem. Official bits on the way.

Latest build addresses this.

Tested with ESC-1.1.0-13 on a Win XP 64 bit machine.
-Configured /usr/lib/pki-tps/cgi-bin/home/index.cgi to include cachain.cgi, CA Certificate Trust Chain is download and can be trusted during phone home process.

-Tested esc-prefs.js file with esc.global.alt.nss.db=<path to another db to trust>, certificate trust is populated successfully in ESC.

-Tested ESC installation with command line switches, 
./esc-intaller.exe /EscConfig=esc.global.alt.nss.db=c:\common-nss-db /EscConfig=esc.test.boolean.pref=false

This does not populate certificate and trust into ESC security database. 

Certificate and the trust is populated only when the path to nss db has forward slash like this:
./esc-intaller.exe /EscConfig=esc.global.alt.nss.db=c:/common-nss-db

Verified that command line switch used multiple times with different
values sets the values correctly in esc/defaults/preferences/esc-prefs.js.

Marking the bug verified.