On Sunday, September 13, 2020 at 3:00:21 PM UTC-7, Graham Leggett wrote:
> Hi all, 
> In a script, I need to know what the “best” certificate is in the NSS 
> database for a given host. 
> The “best” certificate is 
> - A valid certificate by all the usual definitions of valid; and 
> - Matches the hostname provided either by using the subject or the 
> subjectAltName (with optional wildcards); and 
> - (to break ties) Has the longest validity. 
> From what I can see certutil can’t do this. Is there an alternative tool I 
> should be using? 
> If no tool exists, is there a corresponding API call in the NSS API that will 
> return a certificate (or certificates) as per the definition above? If so I 
> can put together a patch. 
> Regards, 
> Graham 
> —

Hi Graham,

As you saw, there's no good mechanism for this via certutil. Honestly, the 
logic for the legacy verifier that would accomplish this is somewhat lacking, 
as well. 

There's a meta-bug for someday reworking the tools to use mozilla::pkix, which 
would accomplish what you're looking for, Bug 1648172. The significant lift 
here though would be reworking the relevant tool to compile in C++, needed for 

If you're interested in contributing that rework, we'd love to work with you on 
it. But nevertheless, mozilla::pkix. in the lib/mozpkix dir, is the right way 
to approach this problem.


dev-tech-crypto mailing list

Reply via email to