I have tried this several different ways but with no success. I am using the binary linux distribution found here:
http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/
NSS_3_9_RTM/Linux2.4_x86_glibc_PTH_OPT.OBJ/nss-3.9.tar.gz
On a Fedora Core 1 box I did this:
First I Installed the tar file to /usr/share:
/usr/share/nss-3.9/(bin/lib/include)---- # Setup the root CA # to be done as the admin of the CA NSS=/usr/share/nss-3.9 export LD_LIBRARY_PATH=$NSS/lib CADB=/home/arcamax/config/nss-ca CU="$NSS/bin/certutil -d $CADB -f $CADB/capass" mkdir -p $CADB chmod 700 $CADB /home/arcamax/bin/mkpass > $CADB/capass chmod 400 $CADB/capass
# Creating the CA database $CU -N
# Creating the root CA certificate
$CU -S -s "CN=arcamax.com nss root CA, O=arcamax.com" -n "amirootca" -t ",,C" -v 120 -x -1 -2 -5
0 - Digital Signature ...
Other to finish
5
0 - Digital Signature ...
Other to finish
9
Is this a critical extension [y/n]?
y
Is this a CA certificate [y/n]?
y
Enter the path length constraint, enter to skip [<0 for unlimited path]:
3
Is this a critical extension [y/n]?
y
0 - SSL Client ...
Other to finish
7
0 - SSL Client ...
Other to finish
9
Is this a critical extension [y/n]?
y
# extract the root CA cert file $CU -L -n "amirootca" -a -o /home/arcamax/config/amirootca.cacert chmod 644 /home/arcamax/config/amirootca.cacert ----
---- # Setup a Users Signing Database and Generate a CSR # This must be done as the individual user. # The csr.txt file will be created in the current directory. NSS=/usr/share/nss-3.9 export LD_LIBRARY_PATH=$NSS/lib SIGNDB=$HOME/nss-sign CU="$NSS/bin/certutil -d $SIGNDB -f $SIGNDB/signpass" mkdir -p $SIGNDB chmod 700 $SIGNDB /home/arcamax/bin/mkpass > $SIGNDB/signpass chmod 400 $SIGNDB/signpass
# Create the signing database $CU -N
# Add the root CA .cacert to the signing db $CU -A -n "amirootca" -t ",,C" -i /home/arcamax/config/amirootca.cacert
# Generate the CSR $CU -R -o csr.txt -a -s "CN=$USER oject signing cert, O=arcamax.com" -v 100 ----
---- # Issuing a Signing Certificate from a CSR # to be done as the admin of the CA # The csr.txt must be in the current directory. # A resulting cert.txt file will be created. NSS=/usr/share/nss-3.9 export LD_LIBRARY_PATH=$NSS/lib CADB=/home/arcamax/config/nss-ca CU="$NSS/bin/certutil -d $CADB -f $CADB/capass" $CU -C -c "arcamax.com" -i csr.txt -a -o cert.txt -1 -2 -5 ----
This is where is dies. Top shows 95% CPU usage. I let it run for about 10 minutes on an otherwise idle 466Mhz Celeron with 512MB Ram. I finally did control C to kill it.
I also tried the proceedure on a RedHat 7.3 box. There it seg faults immediatly at the same point in the proceedure. In both cases a zero length cert.txt file has been created.
I also attempted to compile from source on the RedHat 7.3 box. I did not find instructions on how to do this. I found this page:
http://www.mozilla.org/projects/security/pki/nss/buildnss_31.html
but it did not work when tried to translate the version numbers to 3.9.
I tried to download and compile the source tar ball. Again I did not find much in the way of an install proceedure. I muddled through running ./configure where it seemed to be needed and the 'make'. I finally got to this error:
gcc -o Linux2.4_x86_glibc_PTH_DBG.OBJ/quickder.o -c -g -fPIC -DLINUX1_2 -Di386 -D_XOPEN_SOURCE -DLINUX2_1 -ansi -Wall -pipe -DLINUX -Dlinux -D_POSIX_SOURCE -D_BSD_SOURCE -DHAVE_STRERROR -DXP_UNIX -DDEBUG -UNDEBUG -DDEBUG_bryan -D_REENTRANT -I../../../../dist/Linux2.4_x86_glibc_PTH_DBG.OBJ/include -I../../../../dist/public/nss -I../../../../dist/private/nss -I../../../../dist/public/dbm quickder.c
In file included from quickder.c:40:
secasn1.h:45:21: plarena.h: No such file or directory
A Find shows this: [EMAIL PROTECTED] nss-3.9]$ find . -name plarena.h ./mozilla/nsprpub/lib/ds/plarena.h ./mozilla/nsprpub/dist/include/nspr/plarena.h
At this point I am stumped.
BTW: As I work on this I am developing a document of what needs to be done. I can make this available if there is interest.
_______________________________________________ Mozilla-security mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-security
