Skip to content
Create a system-wide NSS certificate database ( based on system-wide certificates (/etc/ssl/certs)
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.



This package provides a few shell utilities to merge the system-wide certificate store, available in /etc/ssl/certs/ca-certificates.crt, and a NSS-compatible store living in /etc/pki/nssdb (the default path of the system-wide library defined in NSS).


NSS has a much wider set of features than the system-wide trusted certificates whitelist:

  • Trusting a certificate for various uses (server authentication, email signing, ...)
  • Distrusting a certificate trusted by another source (e.g user database removing system-wide defaults)

It can also work with both user-specific and system-wide databases.

  • The system-wide is expected to be in /etc/pki/nssdb
  • The user-specific db lives in $HOME/.pki/nssdb


The system-wide NSS database has no relation with the system-wide certificate store. This tool tries to bridge that gap, by permitting:

  • Initialization of the system-wide NSS database
  • Updating the system-wide NSS database whenever a new certificate is added to the system-wide store
  • Listing differences between both databases.


This tool creates a NSS database from the system-wide certificate store.

It accepts the following options:

  • -n, --dry-run: don't do anything, just print what would be performed
  • -s, --system-store: path to the system store (defaults to /etc/ssl/certs)
  • -d, --nss-db: path to the NSS database, as understood by NSS certutil tool. Defaults to /etc/pki/nssdb


This short script is a hook for update-ca-certificates, and should be symlinked to /etc/ca-certificates/update.d/.


This software is distributes under the MIT license. A copy is included in the package. It was originally written by Raphaël Barrois.

Source code is available at

You can’t perform that action at this time.