Network Security Services
Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications.
Applications built with NSS can support SSL v2 and v3, TLS, PKCS #5, #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards.
Contents
Installation
Install nss, available in the official repositories.
Certificate management
Use certutil utility provided with NSS to manage your certificates.
List certificate DB
To get list of all certificates:
$ certutil -d sql:$HOME/.pki/nssdb -L
To get details about certificate:
$ certutil -d sql:$HOME/.pki/nssdb -L -n certificate_nickname
Import certificate
To add a certificate specify the -A
option:
$ certutil -d sql:$HOME/.pki/nssdb -A -t "TRUSTARGS" -n certificate_nickname -i /path/to/cert/filename
The TRUSTARGS
are three strings of zero or more alphabetic characters, separated by commas, for example: "TCu,Cu,Tuw"
. They define how the certificate should be trusted for SSL, email, and object signing, and are explained in the certutil docs or Meena's blog post on trust flags.
To add a personal certificate and private key for SSL client authentication use the command:
$ pk12util -d sql:$HOME/.pki/nssdb -i /path/to/PKCS12/cert/filename.p12
This will import a personal certificate and private key stored in a PKCS #12 file. The TRUSTARGS
of the personal certificate will be set to "u,u,u"
.
Edit certificate
Call certutil with -M
option to edit the certificate. For example, to edit the TRUSTARGS
:
$ certutil -d sql:$HOME/.pki/nssdb -M -t "TRUSTARGS" -n certificate_nickname
Delete certificate
Use -D
option to remove the certificate:
$ certutil -d sql:$HOME/.pki/nssdb -D -n certificate_nickname
See also
- Network Security Services on mozilla.org.
- Using the Certificate Database Tool on mozilla.org.
- Certificate management on Chromium help.
- Managing Certificate Trust flags in NSS Database on Meena's blog.