diff --git a/config/hooks/certificates.chroot b/config/hooks/certificates.chroot
new file mode 100755
index 0000000..fb0c446
--- /dev/null
+++ b/config/hooks/certificates.chroot
@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+dir=$(find /etc/skel/.mozilla/firefox/*/ -maxdepth 0 -type d)
+if [[ ! -d "$dir" ]]; then
+	echo "Not valid profiledir: $dir"
+	exit 1
+fi
+dpkg -L freepto-certificates | egrep '^/usr/share/ca-certificates/.*\.crt$' | while read crt; do
+	name=$(basename "$crt" .crt)
+	certutil -A -n "$name" -t TC,, -i "$crt" -d "$dir"
+done
+
diff --git a/config/includes.chroot/etc/skel/.mozilla/firefox/wgrlpdsn.paranoid/cert8.db b/config/includes.chroot/etc/skel/.mozilla/firefox/wgrlpdsn.paranoid/cert8.db
deleted file mode 100644
index 1a22290..0000000
Binary files a/config/includes.chroot/etc/skel/.mozilla/firefox/wgrlpdsn.paranoid/cert8.db and /dev/null differ
diff --git a/config/package-lists/tools.list.chroot b/config/package-lists/tools.list.chroot
index 5e5ab0a..a6deb7c 100644
--- a/config/package-lists/tools.list.chroot
+++ b/config/package-lists/tools.list.chroot
@@ -37,3 +37,6 @@ spice-vdagent
 # graphical tools
 lshw-gtk
 evince-gtk
+
+# security
+libnss3-tools