The Tor Browser / file diff

     1.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     1.2 +++ b/security/nss/lib/ckfw/builtins/README	Wed Dec 31 06:09:35 2014 +0100
     1.3 @@ -0,0 +1,45 @@
     1.4 +This README file explains how to add a builtin root CA certificate to NSS
     1.5 +or remove a builtin root CA certificate from NSS.
     1.6 +
     1.7 +The builtin root CA certificates in NSS are stored in the nssckbi PKCS #11
     1.8 +module. The sources to the nssckbi module are in this directory.
     1.9 +
    1.10 +I. Adding a Builtin Root CA Certificate
    1.11 +
    1.12 +You need to use the addbuiltin command-line tool to add a root CA certificate
    1.13 +to the nssckbi module. In the procedure described below, we assume that the
    1.14 +new root CA certificate is distributed in DER format in the file newroot.der.
    1.15 +
    1.16 +1. Add the directory where the addbuiltin executable resides to your PATH
    1.17 +environment variable. Then, add the directory where the NSPR and NSS shared
    1.18 +libraries (DLLs) reside to the platform-specific environment variable that
    1.19 +specifies your shared library search path: LD_LIBRARY_PATH (most Unix
    1.20 +variants), SHLIB_PATH (32-bit HP-UX), LIBPATH (AIX), or PATH (Windows).
    1.21 +
    1.22 +2. Copy newroot.der to this directory.
    1.23 +
    1.24 +3. In this directory, run addbuiltin to add the new root certificate. The
    1.25 +argument to the -n option should be replaced by the nickname of the root
    1.26 +certificate.
    1.27 +
    1.28 +    % addbuiltin -n "Nickname of the Root Certificate" -t C,C,C < newroot.der >> certdata.txt
    1.29 +
    1.30 +4. Edit nssckbi.h to bump the version of the module.
    1.31 +
    1.32 +5. Run gmake in this directory to build the nssckbi module.
    1.33 +
    1.34 +6. After you verify that the new nssckbi module is correct, check in
    1.35 +certdata.txt and nssckbi.h.
    1.36 +
    1.37 +II. Removing a Builtin Root CA Certificate
    1.38 +
    1.39 +1. Change directory to this directory.
    1.40 +
    1.41 +2. Edit certdata.txt and remove the root CA certificate.
    1.42 +
    1.43 +3. Edit nssckbi.h to bump the version of the module.
    1.44 +
    1.45 +4. Run gmake in this directory to build the nssckbi module.
    1.46 +
    1.47 +5. After you verify that the new nssckbi module is correct, check in
    1.48 +certdata.txt and nssckbi.h.