private key store in firefox


I just ordered a code-signing cert from Comodo using FF. One thing about the process concerns me–where is the private key stored while I await the verification and generation of my cert?

I was told by tech support that once the cert is issued, I will be able to export a PKCS#12 cert/key bundle from FF. However, where is the private key during this time?. I am hoping it was not sent to Comodo.

I think much of the process could be easier if we were able to just send CSRs. In our case, we have a PKI that manages our keys and ensures that sigining ops occur within a secured environment. Just the fact that I had to generate the pvt key on a Windows desktop machine makes me a little nervous, but now I’m wondering if the key was sent over the wire and is stored on a foreign server!

If someone would explain the details of the FF-based process it could be a big relief.




Usually the code signing certificate will be applied and collected through your browser only, it may be IE or Firefox.But it is not like SSL in which you will send the CSR and get your certificate issued based on that.

When you signup for the code signing certificate the private key is generate and stored in your browser, after your order is issued you can collect your certificate.

Once you have successfully collected your certificate then you can export your certificate with private key to a pfx(pkcs12) format.

please follow the below procedure to export your certificate from Firefox.
Firefox–>Tools–>Option–>Advanced–>Encryption–>View certificates–>Select your certificate–>Select “Backup”–>Save the file.

Please follow the below link to extract your spc and pvk files from pfx file.

Let me know if you have any further queries.

Thank you for your reply but it doesn’t answer my question. I am aware of the procedure for FF. What I am concerned about is where the key is stored while awaiting the certificate and, more importantly, if that key ever leaves my machine in the FF case. I know it does not in the IE case. My question is strictly for FF.

To re-state the exact information I need: In the codesigning certificate provisioning procedure via Firefox, 1) is the private key ever transmitted from the machine running Firefox and 2) if not, how can I access the key during the certificate-generation period (between request and fulfillment) to verify the answer to 1)?

Thank you.


  1. No
  2. It is not possible to access your private key after the signup process even the key is generated, it is possible only after you have collected your certificate. After certificate collection you can export your certificate along with the private key.


When using the Browsers enrollment process, a security provider is used to generate a new key, and only the public key will be sent to the CA. The private key is stored locally in the browsers profile, however Firefox has no GUI to view such “incomplete” certificates (aka csr). It is stored on the filesystem so you need to ecure your machine.

See also: Network Security Services (NSS) — Firefox Source Docs documentation