Confirmed users, Administrators
5,526
edits
CA:FAQ: Difference between revisions
Added section about importing roots into NSS
m (clarification) |
(Added section about importing roots into NSS) |
||
| Line 135: | Line 135: | ||
* [https://www.imperialviolet.org/2012/01/30/mozillaroots.html Why Trust Bits Matter] | * [https://www.imperialviolet.org/2012/01/30/mozillaroots.html Why Trust Bits Matter] | ||
* [https://github.com/agl/extract-nss-root-certs Extracting roots and their trust bits] | * [https://github.com/agl/extract-nss-root-certs Extracting roots and their trust bits] | ||
=== How do I import a root cert into NSS on our organization's internal servers? === | |||
* '''--DRAFT--''' This section is in draft form, and being discussed in mozilla.dev.security.policy | |||
In some organizations administrators need to configure additional trusted CAs or override the trust settings of CAs on a system wide level, as required by local system environments or corporate deployments. For example, some organizations have their own in-house CA, and need to automate importing their root certificate(s) into NSS on their internal servers. | |||
Here are some resources about this. | |||
* Installing Certificates for Firefox | |||
** [http://mike.kaply.com/2015/02/10/installing-certificates-into-firefox/ Add any root certificate] | |||
** [https://addons.mozilla.org/en-us/firefox/addon/cacert-root-certificate/ Add CACert root only] | |||
* Adding Certificates to NSS for other applications | |||
** [https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil certutil] -- a command-line utility that can be used to list, generate, modify, or delete certificates in the NSS root store. | |||
*** [https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools#Tools_Information NSS Tools] | |||
*** [https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_Sources_Building_Testing Getting and building NSS] | |||
** For systems with Fedora and RHEL (6.5 and newer) see the manual page for update-ca-trust (man update-ca-trust) | |||
** For systems with Ubuntu/Debian see the manual page for update-ca-certificates | |||
* [https://www.mozilla.org/en-US/about/forums/#dev-tech-crypto Discussion forum] where you can ask questions and get answers from others who have done this | |||