security/nss/lib/ckfw/builtins/README@6474c204b198 (annotated)
security/nss/lib/ckfw/builtins/README
Wed, 31 Dec 2014 06:09:35 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Wed, 31 Dec 2014 06:09:35 +0100
- changeset 0
- 6474c204b198
- permissions
- -rw-r--r--
Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.
| michael@0 | 1 | This README file explains how to add a builtin root CA certificate to NSS |
| michael@0 | 2 | or remove a builtin root CA certificate from NSS. |
| michael@0 | 3 | |
| michael@0 | 4 | The builtin root CA certificates in NSS are stored in the nssckbi PKCS #11 |
| michael@0 | 5 | module. The sources to the nssckbi module are in this directory. |
| michael@0 | 6 | |
| michael@0 | 7 | I. Adding a Builtin Root CA Certificate |
| michael@0 | 8 | |
| michael@0 | 9 | You need to use the addbuiltin command-line tool to add a root CA certificate |
| michael@0 | 10 | to the nssckbi module. In the procedure described below, we assume that the |
| michael@0 | 11 | new root CA certificate is distributed in DER format in the file newroot.der. |
| michael@0 | 12 | |
| michael@0 | 13 | 1. Add the directory where the addbuiltin executable resides to your PATH |
| michael@0 | 14 | environment variable. Then, add the directory where the NSPR and NSS shared |
| michael@0 | 15 | libraries (DLLs) reside to the platform-specific environment variable that |
| michael@0 | 16 | specifies your shared library search path: LD_LIBRARY_PATH (most Unix |
| michael@0 | 17 | variants), SHLIB_PATH (32-bit HP-UX), LIBPATH (AIX), or PATH (Windows). |
| michael@0 | 18 | |
| michael@0 | 19 | 2. Copy newroot.der to this directory. |
| michael@0 | 20 | |
| michael@0 | 21 | 3. In this directory, run addbuiltin to add the new root certificate. The |
| michael@0 | 22 | argument to the -n option should be replaced by the nickname of the root |
| michael@0 | 23 | certificate. |
| michael@0 | 24 | |
| michael@0 | 25 | % addbuiltin -n "Nickname of the Root Certificate" -t C,C,C < newroot.der >> certdata.txt |
| michael@0 | 26 | |
| michael@0 | 27 | 4. Edit nssckbi.h to bump the version of the module. |
| michael@0 | 28 | |
| michael@0 | 29 | 5. Run gmake in this directory to build the nssckbi module. |
| michael@0 | 30 | |
| michael@0 | 31 | 6. After you verify that the new nssckbi module is correct, check in |
| michael@0 | 32 | certdata.txt and nssckbi.h. |
| michael@0 | 33 | |
| michael@0 | 34 | II. Removing a Builtin Root CA Certificate |
| michael@0 | 35 | |
| michael@0 | 36 | 1. Change directory to this directory. |
| michael@0 | 37 | |
| michael@0 | 38 | 2. Edit certdata.txt and remove the root CA certificate. |
| michael@0 | 39 | |
| michael@0 | 40 | 3. Edit nssckbi.h to bump the version of the module. |
| michael@0 | 41 | |
| michael@0 | 42 | 4. Run gmake in this directory to build the nssckbi module. |
| michael@0 | 43 | |
| michael@0 | 44 | 5. After you verify that the new nssckbi module is correct, check in |
| michael@0 | 45 | certdata.txt and nssckbi.h. |
