I found the answer. In order to store the Root CA cert, or Interm CA cert into FireFox cert store under "Authorities" tab, during PKCS#11 initialization, two P11 objects for each cert are needed: a Trusted Object and a Certificate Object.
For example, for a Trusted Object, it should have the following attributes set (values may varies): ============================ # Trust for Certificate "Go Daddy Class 2 CA" CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE CKA_LABEL UTF8 "Go Daddy Class 2 CA" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \047\226\272\346\077\030\001\342\167\046\033\240\327\167\160\002 \217\040\356\344 END CKA_CERT_MD5_HASH MULTILINE_OCTAL \221\336\006\045\253\332\375\062\027\014\273\045\027\052\204\147 END CKA_ISSUER MULTILINE_OCTAL \060\143\061\013\060\011\006\003\125\004\006\023\002\125\123\061 \041\060\037\006\003\125\004\012\023\030\124\150\145\040\107\157 \040\104\141\144\144\171\040\107\162\157\165\160\054\040\111\156 \143\056\061\061\060\057\006\003\125\004\013\023\050\107\157\040 \104\141\144\144\171\040\103\154\141\163\163\040\062\040\103\145 \162\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150 \157\162\151\164\171 END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\000 END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE ============================ And, for the Certificate objects, it should have: ============================= # # Certificate "Go Daddy Class 2 CA" # CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE CKA_LABEL UTF8 "Go Daddy Class 2 CA" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\143\061\013\060\011\006\003\125\004\006\023\002\125\123\061 \041\060\037\006\003\125\004\012\023\030\124\150\145\040\107\157 \040\104\141\144\144\171\040\107\162\157\165\160\054\040\111\156 \143\056\061\061\060\057\006\003\125\004\013\023\050\107\157\040 \104\141\144\144\171\040\103\154\141\163\163\040\062\040\103\145 \162\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150 \157\162\151\164\171 END CKA_ID UTF8 "0" CKA_ISSUER MULTILINE_OCTAL \060\143\061\013\060\011\006\003\125\004\006\023\002\125\123\061 \041\060\037\006\003\125\004\012\023\030\124\150\145\040\107\157 \040\104\141\144\144\171\040\107\162\157\165\160\054\040\111\156 \143\056\061\061\060\057\006\003\125\004\013\023\050\107\157\040 \104\141\144\144\171\040\103\154\141\163\163\040\062\040\103\145 \162\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150 \157\162\151\164\171 END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\000 END CKA_VALUE MULTILINE_OCTAL \060\202\004\000\060\202\002\350\240\003\002\001\002\002\001\000.... ...... \105\346\015\237\050\234\261\271\052\132\127\255\067\017\257\035 \177\333\275\237 END # Trust for Certificate "Go Daddy Class 2 CA" CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE CKA_LABEL UTF8 "Go Daddy Class 2 CA" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \047\226\272\346\077\030\001\342\167\046\033\240\327\167\160\002 \217\040\356\344 END CKA_CERT_MD5_HASH MULTILINE_OCTAL \221\336\006\045\253\332\375\062\027\014\273\045\027\052\204\147 END CKA_ISSUER MULTILINE_OCTAL \060\143\061\013\060\011\006\003\125\004\006\023\002..... END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\000 END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE ============================= _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
