This is, honestly, a matter of "NSS's implementors decided to force administrators and users to jump through hoops." There may be legitimate policy concerns with certain policies that require everything to be inside the database that NSS uses... but for those who don't have those policy restrictions, it could be called "inelegant".
Which revision of PKCS#11 was NSS support written to? I'm seeing that the latest available from RSA Labs is v2.20 amendment 3. -Kyle H On Mon, Jul 28, 2008 at 4:04 PM, Nelson B Bolyard <[EMAIL PROTECTED]> wrote: > Daniel Stenberg wrote, On 2008-07-28 13:48: >> On Mon, 28 Jul 2008, Nelson B Bolyard wrote: >> >>> NSS is quite capable of importing certificates in "PEM" format. >> >> Importing them where? If I want to use NSS for the TLS layer and I have >> the ca cert in a PEM format file, how can I make NSS use that file when I >> connect to the peer? > > Generally NSS does all crypto, and all storage of keys and certificates in > "cryptographic modules" that use the PKCS#11 API. All such modules > conceptually offer access to "devices" called "tokens" that reside in > "slots" (although these may all be "virtual" - that is, pure software). > All keys and certs are stored in these tokens. One of NSS's tokens uses > databases to store keys and certs. > > There's a pretty nice illustration of those concepts at this URL: > http://www.mozilla.org/projects/security/pki/nss/ref/ssl/gtstd.html#1011970 > > Before you can use a cert or a key (that you might have in a file), you need > to get it into one of the tokens that are known to NSS. That's where the > term "import" comes in. NSS can import certificates from PEM files > (one cert per file). It can also import PKCS#7 standard cert "packages" > from files in PEM format. Private keys, however, are only imported from > files in PKCS#12 format. PKCS#12 is the one format universally implemented > by all crypto libraries. OpenSSL is capable of making PKCS#12 files from > PEM files, and that's the right way to transport private keys from OpenSSL > to NSS. > >> My current code has a configure check and thus #ifdefs in the code for a >> PK11_CreateGenericObject() function that apparently can be used for >> this, but I've not found the source for that lib/plugin (libnsspem.so) so >> I've failed to test this myself. > > Importing certs and keys into the DB files is not something you'd expect to > do every time you run a process. The DBs are persistent, and most third > party PKCS#11 tokens (e.g. hardware) offer persistent storage also. So, > the open SSL mode (import all the certs and keys from files every time the > process runs) is not generally applicable to products that use PKCS#11 > modules. > > NSS offers a set of utility programs to import and export certs and > private keys. certutil will import/export certs in DER or PEM formats. > pk12util will import and export private keys (and related certs) in > PKCS#12 files. I suggest you just use those. If you want to see how > they do it, the sources to those programs are all open. > > _______________________________________________ > dev-tech-crypto mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-tech-crypto > _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
