This package provides a few shell utilities to merge the system-wide certificate store,
available in /etc/ssl/certs/ca-certificates.crt, and a NSS-compatible store living in
/etc/pki/nssdb (the default path of the system-wide library defined in NSS).
NSS has a much wider set of features than the system-wide trusted certificates whitelist:
- Trusting a certificate for various uses (server authentication, email signing, ...)
- Distrusting a certificate trusted by another source (e.g user database removing system-wide defaults)
It can also work with both user-specific and system-wide databases.
- The system-wide is expected to be in
/etc/pki/nssdb - The user-specific db lives in
$HOME/.pki/nssdb
The system-wide NSS database has no relation with the system-wide certificate store. This tool tries to bridge that gap, by permitting:
- Initialization of the system-wide NSS database
- Updating the system-wide NSS database whenever a new certificate is added to the system-wide store
- Listing differences between both databases.
This tool creates a NSS database from the system-wide certificate store.
It accepts the following options:
-n,--dry-run: don't do anything, just print what would be performed-s,--system-store: path to the system store (defaults to/etc/ssl/certs)-d,--nss-db: path to the NSS database, as understood by NSScertutiltool. Defaults to/etc/pki/nssdb
This short script is a hook for update-ca-certificates, and should be symlinked to /etc/ca-certificates/update.d/.
This software is distributes under the MIT license. A copy is included in the package. It was originally written by Raphaël Barrois.
Source code is available at https://github.com/rbarrois/nss-systemcerts.