Jani Jaakkola wrote:
Am I correct, if I assume that I (still) cannot manage firefox builtin
certificate list without patching and recompiling the whole thing, since
the certificate list is compiled in to libnss for some unknown readon?
If this is so, is there some reason for this?
I don't know what the capabilities and limitations of firefox's certificate
manangent UI are, or whether it even has such UI.
NSS provides APIs for applications to manage trust of root certs.
There's no need to recompile anything to do what you want to accomplish,
although recompiling is an option, and may suit your needs (whatever
they are).
NSS provdes a "built-in" list of CA certs in a single small shared
library that may be compiled separately from the rest of mozilla.
There's no need to pull browser source to recompile it.
I am system administrator here at University of Helsinki, and I want to
install our CA-certificate to the trusted list on our Linux-network.
(and yes, I know how to manage per user certificate lists)
Unless ALL your users are going to use mozilla-based browsers and email
programs exclusively, I'd suggest you make your root CA cert available
as a download, so that ALL browser/email users can download and trust it.
Oh, if you're going to make your own root CA, be VERY VERY sure you
don't ever re-use cert serial numbers. Even (especially!) if you
reissue your root CA cert, don't reuse the serial number.
If you're using OpenSSL to issue your certs, you may have to pay
attention to the serial numbers being generated to avoid this.
- Jan
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
