security/nss/lib/ckfw/builtins/README@b8a032363ba2 (annotated)
security/nss/lib/ckfw/builtins/README
Thu, 22 Jan 2015 13:21:57 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 22 Jan 2015 13:21:57 +0100
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
- permissions
- -rw-r--r--
Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6
| michael@0 | 1 | This README file explains how to add a builtin root CA certificate to NSS |
| michael@0 | 2 | or remove a builtin root CA certificate from NSS. |
| michael@0 | 3 | |
| michael@0 | 4 | The builtin root CA certificates in NSS are stored in the nssckbi PKCS #11 |
| michael@0 | 5 | module. The sources to the nssckbi module are in this directory. |
| michael@0 | 6 | |
| michael@0 | 7 | I. Adding a Builtin Root CA Certificate |
| michael@0 | 8 | |
| michael@0 | 9 | You need to use the addbuiltin command-line tool to add a root CA certificate |
| michael@0 | 10 | to the nssckbi module. In the procedure described below, we assume that the |
| michael@0 | 11 | new root CA certificate is distributed in DER format in the file newroot.der. |
| michael@0 | 12 | |
| michael@0 | 13 | 1. Add the directory where the addbuiltin executable resides to your PATH |
| michael@0 | 14 | environment variable. Then, add the directory where the NSPR and NSS shared |
| michael@0 | 15 | libraries (DLLs) reside to the platform-specific environment variable that |
| michael@0 | 16 | specifies your shared library search path: LD_LIBRARY_PATH (most Unix |
| michael@0 | 17 | variants), SHLIB_PATH (32-bit HP-UX), LIBPATH (AIX), or PATH (Windows). |
| michael@0 | 18 | |
| michael@0 | 19 | 2. Copy newroot.der to this directory. |
| michael@0 | 20 | |
| michael@0 | 21 | 3. In this directory, run addbuiltin to add the new root certificate. The |
| michael@0 | 22 | argument to the -n option should be replaced by the nickname of the root |
| michael@0 | 23 | certificate. |
| michael@0 | 24 | |
| michael@0 | 25 | % addbuiltin -n "Nickname of the Root Certificate" -t C,C,C < newroot.der >> certdata.txt |
| michael@0 | 26 | |
| michael@0 | 27 | 4. Edit nssckbi.h to bump the version of the module. |
| michael@0 | 28 | |
| michael@0 | 29 | 5. Run gmake in this directory to build the nssckbi module. |
| michael@0 | 30 | |
| michael@0 | 31 | 6. After you verify that the new nssckbi module is correct, check in |
| michael@0 | 32 | certdata.txt and nssckbi.h. |
| michael@0 | 33 | |
| michael@0 | 34 | II. Removing a Builtin Root CA Certificate |
| michael@0 | 35 | |
| michael@0 | 36 | 1. Change directory to this directory. |
| michael@0 | 37 | |
| michael@0 | 38 | 2. Edit certdata.txt and remove the root CA certificate. |
| michael@0 | 39 | |
| michael@0 | 40 | 3. Edit nssckbi.h to bump the version of the module. |
| michael@0 | 41 | |
| michael@0 | 42 | 4. Run gmake in this directory to build the nssckbi module. |
| michael@0 | 43 | |
| michael@0 | 44 | 5. After you verify that the new nssckbi module is correct, check in |
| michael@0 | 45 | certdata.txt and nssckbi.h. |
