Daniel Stenberg wrote, On 2008-07-28 13:48: > On Mon, 28 Jul 2008, Nelson B Bolyard wrote: > >> NSS is quite capable of importing certificates in "PEM" format. > > Importing them where? If I want to use NSS for the TLS layer and I have > the ca cert in a PEM format file, how can I make NSS use that file when I > connect to the peer?
Generally NSS does all crypto, and all storage of keys and certificates in "cryptographic modules" that use the PKCS#11 API. All such modules conceptually offer access to "devices" called "tokens" that reside in "slots" (although these may all be "virtual" - that is, pure software). All keys and certs are stored in these tokens. One of NSS's tokens uses databases to store keys and certs. There's a pretty nice illustration of those concepts at this URL: http://www.mozilla.org/projects/security/pki/nss/ref/ssl/gtstd.html#1011970 Before you can use a cert or a key (that you might have in a file), you need to get it into one of the tokens that are known to NSS. That's where the term "import" comes in. NSS can import certificates from PEM files (one cert per file). It can also import PKCS#7 standard cert "packages" from files in PEM format. Private keys, however, are only imported from files in PKCS#12 format. PKCS#12 is the one format universally implemented by all crypto libraries. OpenSSL is capable of making PKCS#12 files from PEM files, and that's the right way to transport private keys from OpenSSL to NSS. > My current code has a configure check and thus #ifdefs in the code for a > PK11_CreateGenericObject() function that apparently can be used for > this, but I've not found the source for that lib/plugin (libnsspem.so) so > I've failed to test this myself. Importing certs and keys into the DB files is not something you'd expect to do every time you run a process. The DBs are persistent, and most third party PKCS#11 tokens (e.g. hardware) offer persistent storage also. So, the open SSL mode (import all the certs and keys from files every time the process runs) is not generally applicable to products that use PKCS#11 modules. NSS offers a set of utility programs to import and export certs and private keys. certutil will import/export certs in DER or PEM formats. pk12util will import and export private keys (and related certs) in PKCS#12 files. I suggest you just use those. If you want to see how they do it, the sources to those programs are all open. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
