On Mon, 2016-07-18 at 11:42 -0400, Rob Crittenden wrote: > That I'm not sure. Kai might know.
Since there were several open questions, we discussed that on IRC. To summarize here: if you want to install a CA that should be trusted by all applications on a system, you probably shouldn't install into /etc/pki/nssdb any more. Instead, you should install to the proper directory below /etc/pki/ca-trust/source/ and execute update-ca-trust (see the man page). In addition, if you write an NSS application and you want it to trust (and distrust) all the CAs that are installed globally on the system, then, after you init NSS using the usual init APIs, you should execute a call to load the NSS trust module, which is named libnssckbi.so The call is SECMOD_AddNewModule("Builtins", DLL_PREFIX "nssckbi." DLL_SUFFIX, 0, 0); (the DLL_*FIX symbols are helpful when you need cross platform code) An example is here: https://hg.mozilla.org/projects/nss/file/tip/cmd/tstclnt/tst clnt.c#l1312 Note that the libnssckbi.so in the LD search path is a symbolic link, which on modern systems points to the replacement module from p11-kit-trust.rpm, which will dynamically give you the trust information that's managed as explained in the update-ca-trust manual page. Kai -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project