This package provides a few shell utilities to merge the system-wide certificate store,
available in /etc/ssl/certs/ca-certificates.crt
, and a NSS-compatible store living in
/etc/pki/nssdb
(the default path of the system-wide library defined in NSS).
NSS has a much wider set of features than the system-wide trusted certificates whitelist:
- Trusting a certificate for various uses (server authentication, email signing, ...)
- Distrusting a certificate trusted by another source (e.g user database removing system-wide defaults)
It can also work with both user-specific and system-wide databases.
- The system-wide is expected to be in
/etc/pki/nssdb
- The user-specific db lives in
$HOME/.pki/nssdb
The system-wide NSS database has no relation with the system-wide certificate store. This tool tries to bridge that gap, by permitting:
- Initialization of the system-wide NSS database
- Updating the system-wide NSS database whenever a new certificate is added to the system-wide store
- Listing differences between both databases.
This tool creates a NSS database from the system-wide certificate store.
It accepts the following options:
-n
,--dry-run
: don't do anything, just print what would be performed-s
,--system-store
: path to the system store (defaults to/etc/ssl/certs
)-d
,--nss-db
: path to the NSS database, as understood by NSScertutil
tool. Defaults to/etc/pki/nssdb
This short script is a hook for update-ca-certificates
, and should be symlinked to /etc/ca-certificates/update.d/
.
This software is distributes under the MIT license. A copy is included in the package. It was originally written by Raphaël Barrois.
Source code is available at https://github.com/rbarrois/nss-systemcerts.