Re: [blfs-dev] BLFS certificate store

Wed, 09 Nov 2016 19:36:58 -0800 


On 11/09/2016 06:03 PM, Bruce Dubbs wrote:


Ken, sorry for the short answer earlier. I was at work and didn't want 
to leave you hanging. The following answer to Bruce's question answers 
your question more completely as well.


I have no /etc/pki or ~/.pki directories, but I do have /etc/pkcs11/
with only pkcs11.conf.example.


I don't know where that came from. /etc/pki/nssdb must be created by 
certutil. Mine was created by the script I posted the other day in a 
temp directory, hence the wrong path. Create a blank NSS DB with the 
following commands:


# install -vdm755 /etc/pki/nssdb
# certutil -N -d sql:/etc/pki/nssdb


To import a CA's root certificate into that database, which is a 
supplemental database since we keep internal (see below), run the 
following command:



# certutil -d sql:/etc/pki/nssdb -A -t "C,C,C" -n "friendly name" -i 
rootca.pem



That imports the certificate "rootca.pem" with the name of "friendly 
name" and trusts it for all three types: SSL/TLS, S/MIME, and code signing.



I do have  libnssckbi.so but I don't see where FF loads it.  I also
looked at the nss source.  Can you point out where the certs are in that
tarball?



libnssckbi.so is the internal library. I'm not entirely positive, but I 
think it's libsoftoken3 that actually drags it in. If you want to see 
the certificates that are included, create a symlink to libnsscki.so in 
/etc/pki/nssdb (or any other blank db directory), and run the following 
command:


$ certutil -L -d sql:/etc/pki/nssdb/ -h 'Builtin Object Token'


The output is just the friendly name, and the trust bits. The trust bits 
are in order SSL/TLS,S/Mime,CodeSigning. C is trusted, p is explicitly 
distrusted, and blank is not used/trusted for that type. For purposes of 
OpenSSL/GNUTLS, we are only concerned with a C in the first field.



The certificates included there are taken directly from certdata.txt in 
the NSS source (same path as it is for download):

nss-3.27.1/nss/lib/ckfw/builtins/certdata.txt


That is dragged directly into libnssckbi.so using a perl script in the 
same directory:


$ perl certdata.perl < certdata.txt > certdata.c


Anyway, thanks for asking. Fresh eyes help. I needed a quick break from 
staring at that script. Almost done with it now. :-)


--DJ



--
http://lists.linuxfromscratch.org/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page




























					Reply via email to