Tuesday, February 15, 2011

How to add CA certificate to NSS Certificate DB

If you have created a Certificate Authority (see here), you probably want get rid of warnings the consumers shows to your users, e.g. email clients while accessing the mailbox. Here are few simple steps to add your local Certificate Authority to to NSS Certificate DB:
  1. Copy CA certificate to known certificates:
    cp cacert.pem /etc/ssl/certs
    chmod go+r /etc/ssl/certs/cacert.pem
  2. Let install a tools to manage NSS Certificate DB:
    apt-get install libnss3-tools
  3. The default location of NSSDB is in $HOME/.pki/nssdb. If you do not have one yet issue the following command to create (see more baout certutil here):
    mkdir -p .pki/nssdb ; certutil -N -d sql:.pki/nssdb
  4. Add CA certificate:
    certutil -d sql:.pki/nssdb -A -t "CT,c,c" -n DEV.LOCAL \
    -i /etc/ssl/certs/cacert.pem

Evolution email client

Nothing specific need to be done. It uses .pki/nssdb by default

Firefox/Iceweasel web browser

The idea here is to point existing nssdb files to one in .pki/nssdb:
cd .mozilla/firefox/your-profile/
rm cert9.db key4.db
ln -s ~/.pki/nssdb/key4.db .
ln -s ~/.pki/nssdb/cert9.db .

Thunderbird email client

Things you need to do are exactly the same as for firefox, with the only exception to change default directory to .thunderbird/your-profile instead.

Final Note

At this point you should be fine to see SSL content (web, mail, etc) without a security warning since your CA is trusted. Consider copy nss db to /etc/skel, so the new users will get it working automatically:
cp -r .pki /etc/skel
The first time a new user logging, the nssdb will be copied from skel directory and as result the user will get valid CA certificate. Read more here.

No comments :

Post a Comment