Skip to content
Create a system-wide NSS certificate database (https://wiki.mozilla.org/NSS) based on system-wide certificates (/etc/ssl/certs)
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitignore
ChangeLog
LICENSE
README
README.rst
nss-systemcerts-hook
nss-systemcerts-import

README

NSS-SystemCerts

This package provides a few shell utilities to merge the system-wide certificate store, available in /etc/ssl/certs/ca-certificates.crt, and a NSS-compatible store living in /etc/pki/nssdb (the default path of the system-wide library defined in NSS).

Background

NSS has a much wider set of features than the system-wide trusted certificates whitelist:

  • Trusting a certificate for various uses (server authentication, email signing, ...)
  • Distrusting a certificate trusted by another source (e.g user database removing system-wide defaults)

It can also work with both user-specific and system-wide databases.

  • The system-wide is expected to be in /etc/pki/nssdb
  • The user-specific db lives in $HOME/.pki/nssdb

Purpose

The system-wide NSS database has no relation with the system-wide certificate store. This tool tries to bridge that gap, by permitting:

  • Initialization of the system-wide NSS database
  • Updating the system-wide NSS database whenever a new certificate is added to the system-wide store
  • Listing differences between both databases.

nss-systemcerts-import

This tool creates a NSS database from the system-wide certificate store.

It accepts the following options:

  • -n, --dry-run: don't do anything, just print what would be performed
  • -s, --system-store: path to the system store (defaults to /etc/ssl/certs)
  • -d, --nss-db: path to the NSS database, as understood by NSS certutil tool. Defaults to /etc/pki/nssdb

nss-systemcerts-hook

This short script is a hook for update-ca-certificates, and should be symlinked to /etc/ca-certificates/update.d/.

LICENSE

This software is distributes under the MIT license. A copy is included in the package. It was originally written by Raphaël Barrois.

Source code is available at https://github.com/rbarrois/nss-systemcerts.

You can’t perform that action at this time.