On Jul 28, 2014, at 10:24 AM, Kamil Dudka <kdudka_at_redhat.com> wrote:

> On Thursday, July 24, 2014 17:18:25 David Shaw wrote:
>> Hello,
>>
>> A good while back I had some code that needed to use the NSS CAs only (and
>> not the PEM ca-bundle file). I did this by symlinking libnssckbi.so into
>> my nssdb (so NSS would have the CA certs),
>
> I am not sure how this is supposed to work. Is it documented anywhere?

It's mentioned here: http://curl.haxx.se/docs/sslcerts.html

Certainly a "certutil -d /etc/pki/nssdb -L -h all" does show all the CAs with the symlink in place, and shows nothing without the symlink in place.

I also tried "modutil -dbdir /etc/pki/nssdb -add ca_certs -libfile /usr/lib64/libnssckbi.so", which had the same result (certutil shows all the CAs, and removing that module makes certutil show nothing), but it similarly didn't work when done through curl.

Is there an alternate way to give NSS a set of CAs without importing each one specifically?

David

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-07-28