michael@0: This README file explains how to add a builtin root CA certificate to NSS michael@0: or remove a builtin root CA certificate from NSS. michael@0: michael@0: The builtin root CA certificates in NSS are stored in the nssckbi PKCS #11 michael@0: module. The sources to the nssckbi module are in this directory. michael@0: michael@0: I. Adding a Builtin Root CA Certificate michael@0: michael@0: You need to use the addbuiltin command-line tool to add a root CA certificate michael@0: to the nssckbi module. In the procedure described below, we assume that the michael@0: new root CA certificate is distributed in DER format in the file newroot.der. michael@0: michael@0: 1. Add the directory where the addbuiltin executable resides to your PATH michael@0: environment variable. Then, add the directory where the NSPR and NSS shared michael@0: libraries (DLLs) reside to the platform-specific environment variable that michael@0: specifies your shared library search path: LD_LIBRARY_PATH (most Unix michael@0: variants), SHLIB_PATH (32-bit HP-UX), LIBPATH (AIX), or PATH (Windows). michael@0: michael@0: 2. Copy newroot.der to this directory. michael@0: michael@0: 3. In this directory, run addbuiltin to add the new root certificate. The michael@0: argument to the -n option should be replaced by the nickname of the root michael@0: certificate. michael@0: michael@0: % addbuiltin -n "Nickname of the Root Certificate" -t C,C,C < newroot.der >> certdata.txt michael@0: michael@0: 4. Edit nssckbi.h to bump the version of the module. michael@0: michael@0: 5. Run gmake in this directory to build the nssckbi module. michael@0: michael@0: 6. After you verify that the new nssckbi module is correct, check in michael@0: certdata.txt and nssckbi.h. michael@0: michael@0: II. Removing a Builtin Root CA Certificate michael@0: michael@0: 1. Change directory to this directory. michael@0: michael@0: 2. Edit certdata.txt and remove the root CA certificate. michael@0: michael@0: 3. Edit nssckbi.h to bump the version of the module. michael@0: michael@0: 4. Run gmake in this directory to build the nssckbi module. michael@0: michael@0: 5. After you verify that the new nssckbi module is correct, check in michael@0: certdata.txt and nssckbi.h.