Create a system-wide NSS certificate database (https://wiki.mozilla.org/NSS) based on system-wide certificates (/etc/ssl/certs)
Shell
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
.gitignore
ChangeLog
LICENSE
README
README.rst
nss-systemcerts-hook
nss-systemcerts-import

README.rst

NSS-SystemCerts

This package provides a few shell utilities to merge the system-wide certificate store, available in /etc/ssl/certs/ca-certificates.crt, and a NSS-compatible store living in /etc/pki/nssdb (the default path of the system-wide library defined in NSS).

Background

NSS has a much wider set of features than the system-wide trusted certificates whitelist:

  • Trusting a certificate for various uses (server authentication, email signing, ...)
  • Distrusting a certificate trusted by another source (e.g user database removing system-wide defaults)

It can also work with both user-specific and system-wide databases.

  • The system-wide is expected to be in /etc/pki/nssdb
  • The user-specific db lives in $HOME/.pki/nssdb

Purpose

The system-wide NSS database has no relation with the system-wide certificate store. This tool tries to bridge that gap, by permitting:

  • Initialization of the system-wide NSS database
  • Updating the system-wide NSS database whenever a new certificate is added to the system-wide store
  • Listing differences between both databases.

nss-systemcerts-import

This tool creates a NSS database from the system-wide certificate store.

It accepts the following options:

  • -n, --dry-run: don't do anything, just print what would be performed
  • -s, --system-store: path to the system store (defaults to /etc/ssl/certs)
  • -d, --nss-db: path to the NSS database, as understood by NSS certutil tool. Defaults to /etc/pki/nssdb

nss-systemcerts-hook

This short script is a hook for update-ca-certificates, and should be symlinked to /etc/ca-certificates/update.d/.

LICENSE

This software is distributes under the MIT license. A copy is included in the package. It was originally written by Raphaël Barrois.

Source code is available at https://github.com/rbarrois/nss-systemcerts.