Re: [blfs-dev] BLFS certificate store

Wed, 09 Nov 2016 14:18:06 -0800 

On Wed, Nov 09, 2016 at 12:27:41PM -0600, DJ Lucas wrote:
> > 
> > There seems to be some confusion about what we currently have.
> > Unfortunately, what we have now (and had previously) has no effect on
> > FF/SM/TB/Chromium (or anything else using NSS instead of OpenSSL). They
> > all use the built-ins in NSS's libnssckbi.so and their own local copy of
> > additional certificates unless told to use something else (ie: the
> > proposed shared nssdb in /etc/pki/nssdb). Which reminds me, the script I
> > posted yesterday is not a complete solution.
> > 
I'm certainly in the confused camp - I had no idea the in-use certs
were hardcoded into a library.  So, no objections, and I don't want
to distract you from your proposed working solution, but -
> 
> Okay, so how to make it work. I tested my making my own CA and importing the
> root cert. Here are necessary changes in addition to the HOWTO links.
> 
> dj [ ~/LFS/BLFS/trunk/BOOK-no-lib64 ]$ cat /etc/pki/nssdb/pkcs11.txt
> library=libnsssysinit.so
> name=NSS Internal PKCS #11 Module
> parameters=configdir='sql:/etc/pki/nssdb' certPrefix='' keyPrefix=''
> secmod='secmod.db' flags= updatedir='' updateCertPrefix=''
> updateKeyPrefix='' updateid='' updateTokenDescription=''
> NSS=Flags=internal,moduleDBOnly,critical trustOrder=75 cipherOrder=100 
> slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]
> askpw=any timeout=30})
> 
> Changes are (noted by asterisks) library=*libnsssysinit.so*,
> configdir=`sql:*/etc/pki/nssdb*' and Flags=internal,*moduleDBOnly,*critical
> 

I don't have /etc/pki/nssdb/pkcs11.txt.
> 
> dj [ ~/LFS/BLFS/trunk/BOOK-no-lib64 ]$ cat ~/.pki/nssdb/pkcs11.txt

But I do have the equivalent ~/.pki/nssdb/pkcs11.txt on my desktop
systems.

Where did your /etc/ version come from ?

ĸen
-- 
`I shall take my mountains', said Lu-Tze. `The climate will be good
for them.'     -- Small Gods
-- 
http://lists.linuxfromscratch.org/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Reply via email to