Dear Nelson,
Below is the problem in detail..
I am trying to extract the built in Root CA certificate in the nss to a
certificate bag file (PEM format dumbed from libnssckbi.so).
Using the about certificate bag file i am trying to build a database during
intilization which will contain all
the built in Root CA certificate in the database.
Extracting ROOT CA to bag file code snippet.
cert_list = PK11_ListCertsInSlot(slot);
for(cert_node = CERT_LIST_HEAD(cert_list);
!CERT_LIST_END(cert_node, cert_list);
cert_node = CERT_LIST_NEXT(cert_node)) {
cert_b64 = BTOA_DataToAscii(cert_node->cert->derCert.data,
cert_node->cert->derCert.len);
fprintf(fp, "-----BEGIN CERTIFICATE-----\n");
fprintf(fp, "%s\n", cert_b64);
fprintf(fp, "-----END CERTIFICATE-------\n");
PORT_Free(cert_b64);
}
Later i Import the certificate using PK11_import certificate function.
But the problem with aboube aproach is that when i am trying to view the
certificate with certutil it does not show me the trust flags
(SSL, Object signing etc).
without libnssckbi.so in the database directory.
certutil -N -d .
Thawte Personal Premium CA - Thawte Consulting ,,
............. others certificate below
With libnssckbi.so in the database directory.
certutil -N -d .
Thawte Personal Premium CA - Thawte Consulting p,C,C
............. others certificate below
But due to the limitation of disk size and etc
i can not keep a copy of libnssckbi.so in the database directory.. thats it
reason i was trying to build the backup database with CA certificate
installed.
Eddy mentioned that the trust flags are for NSS internal usage.. Can you
please let me know what is the exact problem and how to extract the Trust
flags without copying the libnssckbi.so .
Thanks,
Samrat saha
On 7/2/07, Nelson B <[EMAIL PROTECTED]> wrote:
>
> samrat saha wrote:
>
> > I was trying to create the CA store using the buildin CA certificates in
> > libnssckbi library.
>
> What problem are you trying to solve. libnssckbi already contains all
> the stored root CAs. Do you need a different list? A smaller list?
> What's the problem with the list?
>
> Do you realize that changing the product's built-in list of root CAs
> requires you to not use mozilla's trade-marks?
>
> Let's try to understand the problem you are trying to solve before we
> dissect any proposed solution.
>
> --
> Nelson B
>
> _______________________________________________
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
