This package provides a few shell utilities to merge the system-wide certificate store,
/etc/ssl/certs/ca-certificates.crt, and a NSS-compatible store living in
/etc/pki/nssdb (the default path of the system-wide library defined in NSS).
NSS has a much wider set of features than the system-wide trusted certificates whitelist:
- Trusting a certificate for various uses (server authentication, email signing, ...)
- Distrusting a certificate trusted by another source (e.g user database removing system-wide defaults)
It can also work with both user-specific and system-wide databases.
- The system-wide is expected to be in
- The user-specific db lives in
The system-wide NSS database has no relation with the system-wide certificate store. This tool tries to bridge that gap, by permitting:
- Initialization of the system-wide NSS database
- Updating the system-wide NSS database whenever a new certificate is added to the system-wide store
- Listing differences between both databases.
This tool creates a NSS database from the system-wide certificate store.
It accepts the following options:
--dry-run: don't do anything, just print what would be performed
--system-store: path to the system store (defaults to
--nss-db: path to the NSS database, as understood by NSS
certutiltool. Defaults to
This short script is a hook for
update-ca-certificates, and should be symlinked to
This software is distributes under the MIT license. A copy is included in the package. It was originally written by Raphaël Barrois.
Source code is available at https://github.com/rbarrois/nss-systemcerts.