OpenSSL has a s_client command that allows you to pull the certificates a
web page sends and verify the chain of trust against whatever root CA store
OpenSSL is using. Is there a way to do something similar for NSS? i.e. pull
the certificates a web page sends and validate them against the
Nicholas,
Your root certificate needs to be trusted. Self-signed is fine, but you
still need to trust it.
It would either need to be present in your cert DB, with the proper
trust flag, or you would need to dynamically set the trust on that root
certificate using the API .
You can use
As an aside, I would strongly advise you to use the first method - put
the root CA in your cert DB, ahead of time, prior to starting your
applications.
Dynamically and blindly trusting a root CA, especially one received over
a network, is asking for trouble and a big security no-no.
You should
I'm quite sure that the certificate should be trusted. I forgot to write
it, but i actually found it using certutil in the CERT DB provided by
"roots cert" module:
certutil -L -d DB_dir -h all | grep 'root_cn'
Returns the certificate with trusted flags C,C,C. So i think it means it's
already
4 matches
Mail list logo
