----- Original Message -----
> ...
> Looks like somehow firefox has created a NSS DB for me with all
> these (root certs) plus all the ones I've added - which sounds
> alot like what we're after? Just need to figure out where it's
> started from with the initial DB... some code archeology is in
> order I think.
Hooboy, what a quagmire. Firstly, found some good Red Hat docs,
especially around certificate requests (from our earlier mail):
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Certificate_System/7.3/html/Administration_Guide/Administration_Guide-Managing_Certificates-Requesting_and_Receiving_Certificates.html
Links to that will probably be the best bet, I think, and little
detail beyond the certutil basics.
Back to the NSS databases. It's starting to look like we should
be removing any pcp-specific paths / databases, and make use of
/etc/pki/nssdb and $HOME/.pki/nssdb for servers and clients. It
also looks like we should encourage (enforce?) the use of sqlite
nss databases to aid us in sharing them (the separate $HOME and
system DBs I'd envisaged before is not really where it seems the
NSS/Mozilla folks are headed.
Some related links, discussing Firefox and Chrome, particularly
at the end, and their use of shared NSS databases:
https://wiki.mozilla.org/NSS_Shared_DB_And_LINUX
https://wiki.mozilla.org/NSS_Shared_DB_Howto
https://bugzilla.redhat.com/show_bug.cgi?id=546221
https://bugzilla.mozilla.org/show_bug.cgi?id=620373
https://bugzilla.mozilla.org/show_bug.cgi?id=449498
http://code.google.com/p/chromium/wiki/LinuxCertManagement
My earlier question around how firefox is finding the root certs:
looks like its via libnsssysinit.so (in /etc/pki/nssdb/pkcs11.txt
on my local rhel6 machine). And the certutil root cert list I'd
found and wondered about in the last mail looks like its a merged
database, old (dbm) format.
Also found nss-gui (RHEL/Fedora), which is a simple c++ xulrunner
application front-end (standalone), that provides the same UI for
managing NSS databases as firefox itself (its XUL, so literally
its the same code AIUI) - e.g. nss-gui --dbdir sql:/etc/pki/nssdb
and hey-presto its listing all the root certs even though certutil
reports that as an empty DB. A twisty maze. :)
Would also seem a good idea to fork/exec nss-gui rather than adding
any certificate management code at all into pmchart.
At this stage I am thinking we should switch to those two system
paths and remove any pcp-specific ones, and also enforce the sql:
prefix on the NSS_Init calls (since we don't have any back-compat
issues to worry about at this stage, we can insist on the current
NSS database format, which is merge-able).
Bleurgh. Apologies for the brain dump.
cheers.
--
Nathan
|