On Mon, 2016-07-18 at 11:42 -0400, Rob Crittenden wrote:
> That I'm not sure. Kai might know.

Since there were several open questions, we discussed that on IRC.

To summarize here: if you want to install a CA that should be trusted by all
applications on a system, you probably shouldn't install into /etc/pki/nssdb any

Instead, you should install to the proper directory below
and execute update-ca-trust (see the man page).

In addition, if you write an NSS application and you want it to trust (and
distrust) all the CAs that are installed globally on the system, then, after you
init NSS using the usual init APIs, you should execute a call to load the NSS
trust module, which is named libnssckbi.so

The call is 
SECMOD_AddNewModule("Builtins", DLL_PREFIX "nssckbi." DLL_SUFFIX, 0, 0); 

(the DLL_*FIX symbols are helpful when you need cross platform code)

An example is here: https://hg.mozilla.org/projects/nss/file/tip/cmd/tstclnt/tst

Note that the libnssckbi.so in the LD search path is a symbolic link, which on
modern systems points to the replacement module from p11-kit-trust.rpm, which
will dynamically give you the trust information that's managed as explained in
the update-ca-trust manual page.


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to