Network Security Services

Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications.

Applications built with NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards.

NSS is required by many packages, including, for example, Chromium and Firefox.

Installation

Install the nss package.

Usage

Use certutil utility provided with NSS to manage your certificates.

List certificate DB

To get list of all certificates:

$ certutil -d sql:$HOME/.pki/nssdb -L

To get details about certificate:

$ certutil -d sql:$HOME/.pki/nssdb -L -n certificate_nickname

Generate an RSA private key

 
$ certutil -G -d database_directory -g keysize -n nickname

Generate a certificate signing request

 
$ certutil -S -s subject -n nickname -x -t C,C,C -o file

Generate a self-signed certificate

 
$ certutil -S -s subject -n nickname -x -t C,C,C -o file

Import certificate

To add a certificate specify the -A option:

$ certutil -d sql:$HOME/.pki/nssdb -A -t "TRUSTARGS" -n certificate_nickname -i /path/to/cert/filename

The TRUSTARGS are three strings of zero or more alphabetic characters, separated by commas, for example: "TCu,Cu,Tuw". They define how the certificate should be trusted for SSL, email, and object signing, and are explained in the certutil documentation or Meena's blog post on trust flags.

To add a personal certificate and private key for SSL client authentication use the command:

$ pk12util -d sql:$HOME/.pki/nssdb -i /path/to/PKCS12/cert/filename.p12

This will import a personal certificate and private key stored in a PKCS #12 file. The TRUSTARGS of the personal certificate will be set to "u,u,u".

Edit certificate

Call certutil with -M option to edit the certificate. For example, to edit the TRUSTARGS:

$ certutil -d sql:$HOME/.pki/nssdb -M -t "TRUSTARGS" -n certificate_nickname

Delete certificate

Use -D option to remove the certificate:

$ certutil -d sql:$HOME/.pki/nssdb -D -n certificate_nickname

Adding a trusted CA certificate

chromium, firefox, thunderbird, evolution, and seamonkey use NSS to retrieve trusted CA certificates.

The nss has integrated , which will automatically install all certificates using system-wide. However, if you prefer to distribute "pure" NSS, you can install the certificates into your own browser profile.

certutil -d database -A -i myCA.cert -n "Honest Achmed's CA" -t C,,

chromium and evolution use a "shared" database located in .

For firefox, thunderbird, and seamonkey, make a browser-specific configuration file directory (e.g. ).

gollark: I will install PHP on your brain.
gollark: And the establishment doesn't want you to know this, but the brackets are optional.
gollark: Global variables are mostly the enemy.
gollark: `local api = require "test"`
gollark: Don't think so, sorry.

See also
This article is issued from Archlinux. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.