Hi all,

In a script, I need to know what the “best” certificate is in the NSS database 
for a given host.

The “best” certificate is
- A valid certificate by all the usual definitions of valid; and
- Matches the hostname provided either by using the subject or the 
subjectAltName (with optional wildcards); and
- (to break ties) Has the longest validity.

From what I can see certutil can’t do this. Is there an alternative tool I 
should be using?

If no tool exists, is there a corresponding API call in the NSS API that will 
return a certificate (or certificates) as per the definition above? If so I can 
put together a patch.


dev-tech-crypto mailing list

Reply via email to