Skip to content

rbarrois/nss-systemcerts

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 

NSS-SystemCerts

This package provides a few shell utilities to merge the system-wide certificate store, available in /etc/ssl/certs/ca-certificates.crt, and a NSS-compatible store living in /etc/pki/nssdb (the default path of the system-wide library defined in NSS).

Background

NSS has a much wider set of features than the system-wide trusted certificates whitelist:

  • Trusting a certificate for various uses (server authentication, email signing, ...)
  • Distrusting a certificate trusted by another source (e.g user database removing system-wide defaults)

It can also work with both user-specific and system-wide databases.

  • The system-wide is expected to be in /etc/pki/nssdb
  • The user-specific db lives in $HOME/.pki/nssdb

Purpose

The system-wide NSS database has no relation with the system-wide certificate store. This tool tries to bridge that gap, by permitting:

  • Initialization of the system-wide NSS database
  • Updating the system-wide NSS database whenever a new certificate is added to the system-wide store
  • Listing differences between both databases.

nss-systemcerts-import

This tool creates a NSS database from the system-wide certificate store.

It accepts the following options:

  • -n, --dry-run: don't do anything, just print what would be performed
  • -s, --system-store: path to the system store (defaults to /etc/ssl/certs)
  • -d, --nss-db: path to the NSS database, as understood by NSS certutil tool. Defaults to /etc/pki/nssdb

nss-systemcerts-hook

This short script is a hook for update-ca-certificates, and should be symlinked to /etc/ca-certificates/update.d/.

LICENSE

This software is distributes under the MIT license. A copy is included in the package. It was originally written by Raphaël Barrois.

Source code is available at https://github.com/rbarrois/nss-systemcerts.

About

Create a system-wide NSS certificate database (https://wiki.mozilla.org/NSS) based on system-wide certificates (/etc/ssl/certs)

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages