Ahh...I did it from my Vista workstation's firefox profile which I knew had the
roots module added. Nssckbi.dll or libnssckbi.so or whatever it is on a Mac is
a special PKCS#11 module that is read-only and contains the trust anchors. By
default with an NSS database, it's not added. You can add it yourself to a new
or existing db using modutil.
mbn ~ # mkdir nss
mbn ~ # cd nss/
mbn nss # nsscertutil -N -d .
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.
Enter new password:
Re-enter password:
mbn nss # nssmodutil -list -dbdir .
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
-----------------------------------------------------------
mbn nss # nssmodutil -add roots -libfile /usr/lib64/nss/libnssckbi.so -dbdir .
WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:
Module "roots" added to database.
mbn nss # nssmodutil -list -dbdir .
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
2. roots
library name: /usr/lib64/nss/libnssckbi.so
slots: 1 slot attached
status: loaded
slot: NSS Builtin Objects
token: Builtin Object Token
-----------------------------------------------------------
mbn nss # nsscertutil -L -d . -h all
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Builtin Object Token:Verisign/RSA Secure Server CA CG,C,
Builtin Object Token:GTE CyberTrust Root CA CG,C,C
Builtin Object Token:GTE CyberTrust Global Root CG,C,C
<snip> you get the point
(BTW, ignore the "nss" prepended to the beginning of all the commands, I filed
a bug with Gentoo a while back to have the NSS command-line utils be built by
default and they didn't want a binary called "digest" laying around among
others so they prepend "nss" before all the commands.)
At this point you can follow my previous directions. Sorry I didn't explicitly
mention this piece earlier.
Good luck,
Dave
-----Original Message-----
That doesn't give me the list of nicknames in the Builtin Object
Token, that just gives me the list of nicknames in the softtoken. (I
doubt that nssckbi is supposed to include this...)
KyleMac:.netscape kyanha$ certutil -L -d . -h "Builtin Object Token"
[...]
StartCom Free Certificate Member's StartCom Ltd. ID u,u,u
[...]
Notably, modutil -list gives me this:
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
-----------------------------------------------------------
It does this regardless of whether I have libnssckbi.dylib (I'm on Mac
OS X Leopard 10.5.6) in the profile directory. It also does this
regardless of whether I have all of Firefox.app/Contents/MacOS/*.dylib
in the profile directory. And it especially does this even when I'm
in the profile directory.
The version of nss I'm using is @3.11.9 (net), provided by darwinports.
-Kyle H
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
