NSS: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
No edit summary
 
(9 intermediate revisions by the same user not shown)
Line 5: Line 5:
=Internal=
=Internal=


* [[Linux 7 Security#Subjects|Linux 7 Security]]
* [[Linux Security#Subjects|Linux Security]]


=Overview=
=Overview=
Line 24: Line 24:


=Create a New Certificate Database and Import Google's Certificate=
=Create a New Certificate Database and Import Google's Certificate=
==1. Create a New Directory==


Create the new directory that will become the home of the new certificate database:
Create the new directory that will become the home of the new certificate database:
Line 30: Line 32:
cd ~/tmp
cd ~/tmp
mkdir certs
mkdir certs
</pre>
==2. Initialize it as a Certificate Database==
<pre>
certutil -N -d ./certs
</pre>
The command will inquire for a password to encrypt the keys. If this database is used for public keys only, you can use an empty password:
<pre>
[root@oceanlab tmp]# certutil -N -d ./certs
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.
Enter new password:
Re-enter password:
</pre>
A certificate database consists in the following files with the following permissions:
<pre>
/root/tmp/certs
-rw------- 1 root root 65536 Jan 31 16:43 cert8.db
-rw------- 1 root root 16384 Jan 31 16:43 key3.db
-rw------- 1 root root 16384 Jan 31 16:43 secmod.db
</pre>
==3. Get a Root Certificate==
Get a root certificate and move it into <tt>certs</tt> directory:
<pre>
wget https://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.cer .
mv ./GeoTrust_Global_CA.cer certs
</pre>
==4. Get Google's Certificate==
Get Google's certificate using the root certificate just downloaded:
<pre>
echo -n | openssl s_client -connect smtp.gmail.com:465 -CAfile ./certs/GeoTrust_Global_CA.cer | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > GMAILCERT
</pre>
The output of the command is similar to:
<pre>
[root@oceanlab tmp]# echo -n | openssl s_client -connect smtp.gmail.com:465 -CAfile ./certs/GeoTrust_Global_CA.cer | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > GMAILCERT
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = smtp.gmail.com
verify return:1
DONE
</pre>
==5. Import Google Certificate into the Certificate Database==
<pre>
certutil -A -n "Google Internet Authority" -t "C,," -d ./certs -i ./GMAILCERT
</pre>
==6. Verify that the Certificate was Correctly Imported==
<pre>
certutil -L -d ./certs
</pre>
Output:
<pre>
Certificate Nickname                                        Trust Attributes
                                                            SSL,S/MIME,JAR/XPI
Google Internet Authority                                    C,,
</pre>
</pre>

Latest revision as of 21:15, 1 March 2021

External

Internal

Overview

Network Security Services (NSS) comprises a set of libraries designed to support cross-platform development of security-enabled client and server applications with optional support for hardware TLS/SSL acceleration on the server side and hardware smart cards on the client side. NSS provides a complete open-source implementation of cryptographic libraries supporting Transport Layer Security (TLS) / Secure Sockets Layer (SSL) and S/MIME.

Certificates

Location on Linux: /etc/pki/nssdb

certutil

certutil -L -d /etc/pki/nssdb

More certutil usage examples: http://serverfault.com/questions/498588/smtp-gmail-com-from-bash-gives-error-in-certificate-peers-certificate-issuer

Create a New Certificate Database and Import Google's Certificate

1. Create a New Directory

Create the new directory that will become the home of the new certificate database:

cd ~/tmp
mkdir certs

2. Initialize it as a Certificate Database

certutil -N -d ./certs

The command will inquire for a password to encrypt the keys. If this database is used for public keys only, you can use an empty password:

[root@oceanlab tmp]# certutil -N -d ./certs
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.

Enter new password:
Re-enter password:

A certificate database consists in the following files with the following permissions:

/root/tmp/certs

-rw------- 1 root root 65536 Jan 31 16:43 cert8.db
-rw------- 1 root root 16384 Jan 31 16:43 key3.db
-rw------- 1 root root 16384 Jan 31 16:43 secmod.db

3. Get a Root Certificate

Get a root certificate and move it into certs directory:

wget https://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.cer .
mv ./GeoTrust_Global_CA.cer certs

4. Get Google's Certificate

Get Google's certificate using the root certificate just downloaded:

echo -n | openssl s_client -connect smtp.gmail.com:465 -CAfile ./certs/GeoTrust_Global_CA.cer | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > GMAILCERT

The output of the command is similar to:

[root@oceanlab tmp]# echo -n | openssl s_client -connect smtp.gmail.com:465 -CAfile ./certs/GeoTrust_Global_CA.cer | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > GMAILCERT
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = smtp.gmail.com
verify return:1
DONE

5. Import Google Certificate into the Certificate Database

certutil -A -n "Google Internet Authority" -t "C,," -d ./certs -i ./GMAILCERT 

6. Verify that the Certificate was Correctly Imported

certutil -L -d ./certs

Output:

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Google Internet Authority                                    C,,