NSS: Difference between revisions
No edit summary |
No edit summary |
||
(14 intermediate revisions by the same user not shown) | |||
Line 5: | Line 5: | ||
=Internal= | =Internal= | ||
* [[Linux | * [[Linux Security#Subjects|Linux Security]] | ||
=Overview= | =Overview= | ||
Line 11: | Line 11: | ||
Network Security Services (NSS) comprises a set of libraries designed to support cross-platform development of security-enabled client and server applications with optional support for hardware TLS/SSL acceleration on the server side and hardware smart cards on the client side. NSS provides a complete open-source implementation of cryptographic libraries supporting Transport Layer Security (TLS) / Secure Sockets Layer (SSL) and S/MIME. | Network Security Services (NSS) comprises a set of libraries designed to support cross-platform development of security-enabled client and server applications with optional support for hardware TLS/SSL acceleration on the server side and hardware smart cards on the client side. NSS provides a complete open-source implementation of cryptographic libraries supporting Transport Layer Security (TLS) / Secure Sockets Layer (SSL) and S/MIME. | ||
=Certificates= | |||
Location on Linux: /etc/pki/nssdb | |||
=certutil= | |||
<pre> | <pre> | ||
certutil -L -d /etc/pki/nssdb | certutil -L -d /etc/pki/nssdb | ||
</pre> | |||
More certutil usage examples: http://serverfault.com/questions/498588/smtp-gmail-com-from-bash-gives-error-in-certificate-peers-certificate-issuer | |||
=Create a New Certificate Database and Import Google's Certificate= | |||
==1. Create a New Directory== | |||
Create the new directory that will become the home of the new certificate database: | |||
<pre> | |||
cd ~/tmp | |||
mkdir certs | |||
</pre> | |||
==2. Initialize it as a Certificate Database== | |||
<pre> | |||
certutil -N -d ./certs | |||
</pre> | |||
The command will inquire for a password to encrypt the keys. If this database is used for public keys only, you can use an empty password: | |||
<pre> | |||
[root@oceanlab tmp]# certutil -N -d ./certs | |||
Enter a password which will be used to encrypt your keys. | |||
The password should be at least 8 characters long, | |||
and should contain at least one non-alphabetic character. | |||
Enter new password: | |||
Re-enter password: | |||
</pre> | |||
A certificate database consists in the following files with the following permissions: | |||
<pre> | |||
/root/tmp/certs | |||
-rw------- 1 root root 65536 Jan 31 16:43 cert8.db | |||
-rw------- 1 root root 16384 Jan 31 16:43 key3.db | |||
-rw------- 1 root root 16384 Jan 31 16:43 secmod.db | |||
</pre> | |||
==3. Get a Root Certificate== | |||
Get a root certificate and move it into <tt>certs</tt> directory: | |||
<pre> | |||
wget https://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.cer . | |||
mv ./GeoTrust_Global_CA.cer certs | |||
</pre> | |||
==4. Get Google's Certificate== | |||
Get Google's certificate using the root certificate just downloaded: | |||
<pre> | |||
echo -n | openssl s_client -connect smtp.gmail.com:465 -CAfile ./certs/GeoTrust_Global_CA.cer | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > GMAILCERT | |||
</pre> | |||
The output of the command is similar to: | |||
<pre> | |||
[root@oceanlab tmp]# echo -n | openssl s_client -connect smtp.gmail.com:465 -CAfile ./certs/GeoTrust_Global_CA.cer | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > GMAILCERT | |||
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority | |||
verify return:1 | |||
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA | |||
verify return:1 | |||
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2 | |||
verify return:1 | |||
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = smtp.gmail.com | |||
verify return:1 | |||
DONE | |||
</pre> | |||
==5. Import Google Certificate into the Certificate Database== | |||
<pre> | |||
certutil -A -n "Google Internet Authority" -t "C,," -d ./certs -i ./GMAILCERT | |||
</pre> | |||
==6. Verify that the Certificate was Correctly Imported== | |||
<pre> | |||
certutil -L -d ./certs | |||
</pre> | |||
Output: | |||
<pre> | |||
Certificate Nickname Trust Attributes | |||
SSL,S/MIME,JAR/XPI | |||
Google Internet Authority C,, | |||
</pre> | </pre> |
Latest revision as of 21:15, 1 March 2021
External
Internal
Overview
Network Security Services (NSS) comprises a set of libraries designed to support cross-platform development of security-enabled client and server applications with optional support for hardware TLS/SSL acceleration on the server side and hardware smart cards on the client side. NSS provides a complete open-source implementation of cryptographic libraries supporting Transport Layer Security (TLS) / Secure Sockets Layer (SSL) and S/MIME.
Certificates
Location on Linux: /etc/pki/nssdb
certutil
certutil -L -d /etc/pki/nssdb
More certutil usage examples: http://serverfault.com/questions/498588/smtp-gmail-com-from-bash-gives-error-in-certificate-peers-certificate-issuer
Create a New Certificate Database and Import Google's Certificate
1. Create a New Directory
Create the new directory that will become the home of the new certificate database:
cd ~/tmp mkdir certs
2. Initialize it as a Certificate Database
certutil -N -d ./certs
The command will inquire for a password to encrypt the keys. If this database is used for public keys only, you can use an empty password:
[root@oceanlab tmp]# certutil -N -d ./certs Enter a password which will be used to encrypt your keys. The password should be at least 8 characters long, and should contain at least one non-alphabetic character. Enter new password: Re-enter password:
A certificate database consists in the following files with the following permissions:
/root/tmp/certs -rw------- 1 root root 65536 Jan 31 16:43 cert8.db -rw------- 1 root root 16384 Jan 31 16:43 key3.db -rw------- 1 root root 16384 Jan 31 16:43 secmod.db
3. Get a Root Certificate
Get a root certificate and move it into certs directory:
wget https://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.cer . mv ./GeoTrust_Global_CA.cer certs
4. Get Google's Certificate
Get Google's certificate using the root certificate just downloaded:
echo -n | openssl s_client -connect smtp.gmail.com:465 -CAfile ./certs/GeoTrust_Global_CA.cer | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > GMAILCERT
The output of the command is similar to:
[root@oceanlab tmp]# echo -n | openssl s_client -connect smtp.gmail.com:465 -CAfile ./certs/GeoTrust_Global_CA.cer | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > GMAILCERT depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority verify return:1 depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify return:1 depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2 verify return:1 depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = smtp.gmail.com verify return:1 DONE
5. Import Google Certificate into the Certificate Database
certutil -A -n "Google Internet Authority" -t "C,," -d ./certs -i ./GMAILCERT
6. Verify that the Certificate was Correctly Imported
certutil -L -d ./certs
Output:
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Google Internet Authority C,,