Difference between revisions of "Network Security Services"

From ArchWiki
Jump to: navigation, search
(improve install link as recommended in Help:Style#Package management instructions)
 
(10 intermediate revisions by 8 users not shown)
Line 1: Line 1:
[[Category:Internet Applications]]
+
[[Category:Internet applications]]
== Introduction ==
+
[[ja:Network Security Services]]
 +
[[ru:Network Security Services]]
 +
'''Network Security Services (NSS)''' is a set of libraries designed to support cross-platform development of security-enabled client and server applications.
  
Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards.
+
Applications built with NSS can support [[Wikipedia:SSL|SSL]] v2 and v3, [[Wikipedia:TLS|TLS]], [[Wikipedia:PKCS|PKCS]] #5, #7, [[Wikipedia:PKCS 11|PKCS #11]], [[Wikipedia:PKCS 12|PKCS #12]], [[Wikipedia:S/MIME|S/MIME]], [[Wikipedia:X.509|X.509]] v3 certificates, and other security standards.
  
==Certificate management==
+
== Installation ==
===List===
+
 
For list all certificates:
+
[[Install]] {{Pkg|nss}}, available in the [[official repositories]].
  certutil -d sql:$HOME/.pki/nssdb -L
+
 
For list details of a certificate:
+
== Certificate management ==
  certutil -d sql:$HOME/.pki/nssdb -L -n <certificate nickname>
+
 
===Add===
+
Use ''certutil'' utility provided with NSS to manage your certificates.
To add a certificate use:
+
 
  certutil -d sql:$HOME/.pki/nssdb -A -t <TRUSTARGS> -n <certificate nickname> -i <certificate filename>
+
=== List certificate DB ===
The TRUSTARGS are three strings of zero or more alphabetic characters, separated by commas. They define how the certificate should be trusted for SSL, email, and object signing, and are explained in the certutil docs or Meena's blog post on trust flags.
+
 
 +
To get list of all certificates:
 +
  $ certutil -d sql:$HOME/.pki/nssdb -L
 +
 
 +
To get details about certificate:
 +
  $ certutil -d sql:$HOME/.pki/nssdb -L -n ''certificate_nickname''
 +
 
 +
=== Import certificate ===
 +
 
 +
To add a certificate specify the {{ic|-A}} option:
 +
  $ certutil -d sql:$HOME/.pki/nssdb -A -t "''TRUSTARGS''" -n ''certificate_nickname'' -i ''/path/to/cert/filename''
 +
 
 +
The {{ic|TRUSTARGS}} are three strings of zero or more alphabetic characters, separated by commas, for example: {{ic|"TCu,Cu,Tuw"}}. They define how the certificate should be trusted for SSL, email, and object signing, and are explained in the [http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html#1034193 certutil docs] or [https://blogs.oracle.com/meena/entry/notes_about_trust_flags Meena's blog post] on trust flags.
  
 
To add a personal certificate and private key for SSL client authentication use the command:
 
To add a personal certificate and private key for SSL client authentication use the command:
  pk12util -d sql:$HOME/.pki/nssdb -i PKCS12_file.p12
+
  $ pk12util -d sql:$HOME/.pki/nssdb -i ''/path/to/PKCS12/cert/filename.p12''
This will import a personal certificate and private key stored in a PKCS #12 file. The TRUSTARGS of the personal certificate will be set to "u,u,u".
+
 
===Edit===
+
This will import a personal certificate and private key stored in a PKCS #12 file. The {{ic|TRUSTARGS}} of the personal certificate will be set to {{ic|"u,u,u"}}.
  certutil -d sql:$HOME/.pki/nssdb -M -t <TRUSTARGS> -n <certificate nickname>
+
 
===Delete===
+
=== Edit certificate ===
  certutil -d sql:$HOME/.pki/nssdb -D -n <certificate nickname>
+
 
==Links and References==
+
Call ''certutil'' with {{ic|-M}} option to edit the certificate. For example, to edit the {{ic|TRUSTARGS}}:
 +
  $ certutil -d sql:$HOME/.pki/nssdb -M -t "''TRUSTARGS''" -n ''certificate_nickname''
 +
 
 +
=== Delete certificate ===
 +
 
 +
Use {{ic|-D}} option to remove the certificate:
 +
  $ certutil -d sql:$HOME/.pki/nssdb -D -n ''certificate_nickname''
 +
 
 +
== See also ==
 +
 
 
* [http://www.mozilla.org/projects/security/pki/nss/ Network Security Services] on mozilla.org.
 
* [http://www.mozilla.org/projects/security/pki/nss/ Network Security Services] on mozilla.org.
 
* [http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html#1034193 Using the Certificate Database Tool] on mozilla.org.
 
* [http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html#1034193 Using the Certificate Database Tool] on mozilla.org.
 
* [http://code.google.com/p/chromium/wiki/LinuxCertManagement Certificate management] on Chromium help.
 
* [http://code.google.com/p/chromium/wiki/LinuxCertManagement Certificate management] on Chromium help.
* [http://blogs.sun.com/meena/entry/notes_about_trust_flags Managing Certificate Trust flags in NSS Database] on Meena's blog.
+
* [http://blogs.oracle.com/meena/entry/notes_about_trust_flags Managing Certificate Trust flags in NSS Database] on Meena's blog.

Latest revision as of 21:20, 13 December 2015

Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications.

Applications built with NSS can support SSL v2 and v3, TLS, PKCS #5, #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards.

Installation

Install nss, available in the official repositories.

Certificate management

Use certutil utility provided with NSS to manage your certificates.

List certificate DB

To get list of all certificates:

$ certutil -d sql:$HOME/.pki/nssdb -L

To get details about certificate:

$ certutil -d sql:$HOME/.pki/nssdb -L -n certificate_nickname

Import certificate

To add a certificate specify the -A option:

$ certutil -d sql:$HOME/.pki/nssdb -A -t "TRUSTARGS" -n certificate_nickname -i /path/to/cert/filename

The TRUSTARGS are three strings of zero or more alphabetic characters, separated by commas, for example: "TCu,Cu,Tuw". They define how the certificate should be trusted for SSL, email, and object signing, and are explained in the certutil docs or Meena's blog post on trust flags.

To add a personal certificate and private key for SSL client authentication use the command:

$ pk12util -d sql:$HOME/.pki/nssdb -i /path/to/PKCS12/cert/filename.p12

This will import a personal certificate and private key stored in a PKCS #12 file. The TRUSTARGS of the personal certificate will be set to "u,u,u".

Edit certificate

Call certutil with -M option to edit the certificate. For example, to edit the TRUSTARGS:

$ certutil -d sql:$HOME/.pki/nssdb -M -t "TRUSTARGS" -n certificate_nickname

Delete certificate

Use -D option to remove the certificate:

$ certutil -d sql:$HOME/.pki/nssdb -D -n certificate_nickname

See also