françois blanchon wrote: > Hello > Question about CA in Firefox (I precise : I am not a developper at all). I > must securise a Firefox on a Windows workstation, and one part is to remove > all the built-in CA certs and install only a private one (the workstation is > not able to go on the Internet). If I remove "nssckbi.dll" it works but I am > a not sure it is really good to remove a DLL (maybe new problems may appear > because of that way to proceed). Does anyone as method that permit to remove > the CA without suppressing nssckbi.dll ? > Thank you
That dll/so only exists to load the roots and it doesn't harm anything by not being there. I think the reason it is a shared library is that it implements a very minimal certs-only PKCS11 module. Just be careful, if you do change the roots you cannot distribute the browser as "Firefox" anymore. If you google for it, you can find instructions on how to build a custom nssckbi module. Dave _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
