NSS:Root certs

NSS keeps the certs in libnssckbi.so up to date with (matching) Mozilla Foundation's list of approved CA certs.

The certs shown in the PSM Certificate Manager are actually all the certs stored in any of the PKCS#11 modules being used by the program. The certificate manager enumerates all those certs and shows them all.

NSS has two PKCS#11 modules that store certificates. libsoftokn3.so stores certs in a database file, which in the present versions of NSS is named <prefix>cert8.db (<prefix> is optional, and is chosen by the application). The only certs in that DB are ones put there by the user (admin).

libnssckbi.so stores certs right in the shared library file. They are obviously read-only and cannot be removed. Although the certs in libnssckbi are read-only, and cannot be removed, the user (admin) has the option to disable any of them. NSS stores a "trust flag" for each one in the cert8.db file. When the trust flag is disabled for a cert, this has basically the same effect as removing it. The cert is no longer able to verify other certs.

Solaris's PKCS#11 modules also have the ability to store certs.

The set of certs in libnssckbi is presently controlled by Mozilla Foundation. Mozilla Foundation approves new certificates for addition to the file as they are requested by the CAs, if and only if those CAs conform to Mozilla Foundation's policies for public root CAs. The contents of the root CA list is controlled by Mozilla's CA cert policy administrator, Mr. Gervase Markham <certificates@mozilla.org>.

You may read Mozilla Foundation's policy for root CA certificates at http://www.mozilla.org/projects/security/certs/policy/

You may see the list of currently outstanding requests for CA cert inclusion in mozilla's list, seen at http://www.mozilla.org/projects/security/certs/pending/ .

When Mozilla Foundation approves the addition of new certificates to the list, generally the next NSS release made after that contains the newly approved certs.