Dennis Darch wrote, On 2008-06-23 13:05: > I am extending our application software to function as an LDAP/SSL client > for login authentication. To do this, I have built the Mozilla LDAP C > SDK 6.0.4 with NSS 3.11.9 and NSPR 4.7. > > Obviously, our customers have to set up cert8.db and key3.db files that > will trust the certificate of the LDAP server. In my development > environment, certutil and pk12util do that quite nicely. But some > customers may prefer to use a full-scale PKI instead in their production > environments. > > Also, in the NSS documentation at > http://www.mozilla.org/projects/security/pki/nss/ref/ssl/gtstd.html#1011987 > I find the following warning: [snip]
> So I have two questions: > > 1 - If a customer wants to use some PKI software instead of > certutil/pk12util to distribute and install server and/or client > certificates, which versions of which PKI products should produce cert8.db > and key3.db files that will work for SSL with NSS 3.11.9? > > 2 - Aside from issues of convenience and scalability, are there any security > problems with using certutil and/or pk12util to build and maintain cert8db > and key3.db databases specifically for an LDAP/SSL client? (We do not > supply the LDAP/SSL server, so users will presumably get their certificates > from some CA and/or use some other tools to create them.) > > Dennis Darch > SofTech, Inc. Dennis, For purposes of this discussion, there are two separate broad sets of functionality in NSS utilities such as (especially) certutil. They are: - certificate issuance (that is, acting like a CA, generating certs), and - certificate & key transportation (importing and exporting certs & keys) One of those uses (transportation) is perfectly OK in all NSS environments, both test and production. For importing and exporting certs and keys, certutil and pk12util work just fine, regardless of the source of the certs and/or keys. The other use (cert issuance) is a problem, not because certutil is in some way bad at issuing self-signed certs, but rather because the use of self-signed server certs in production is nearly always a mistake, regardless of their source. Getting your certs from a real competent CA is the right thing to do. Once you have your certs, use certutil to import them. The big warning paragraph that you quoted (and I snipped) is really trying to warn against the use of certutil (or any tool that produces self-signed certificates) for certificate issuance in production environments. The page is explaining how to setup a very small scale CA using certutil for use in very small scale test environments. The warning is intended to be "If you use self-signed server certs in production, you'll be sorry!". It doesn't say that very well. The warning sounds like it's saying "certutil does a bad job of issuing self-signed certs", but that's not the issue. Some people read it as if it is saying "don't use certutil for this, but instead use some other tool like OpenSSL", and that's exactly the wrong message. The message is: "don't use self-signed server certs in production. The tool that makes them doesn't matter. Self-signed certs are bad for production." Hope this answered your questions. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
