KyleMac:.netscape kyanha$ modutil -add roots -libfile /Applications/Firefox.app/Contents/MacOS/libnssckbi.dylib -dbdir .
WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q <enter>' to abort, or <enter> to continue: Using database directory .... ERROR: Failed to add module "roots". Probable cause : "Unknown error: -2804". KyleMac:.netscape kyanha$ (The architecture is 'i386' on all of modutil, certutil, and libnssckbi.dylib.) -Kyle H On Wed, Dec 31, 2008 at 4:48 AM, David Stutzman <dstutz...@dsci.com> wrote: > Ahh...I did it from my Vista workstation's firefox profile which I knew had > the roots module added. Nssckbi.dll or libnssckbi.so or whatever it is on a > Mac is a special PKCS#11 module that is read-only and contains the trust > anchors. By default with an NSS database, it's not added. You can add it > yourself to a new or existing db using modutil. > > mbn ~ # mkdir nss > mbn ~ # cd nss/ > mbn nss # nsscertutil -N -d . > Enter a password which will be used to encrypt your keys. > The password should be at least 8 characters long, > and should contain at least one non-alphabetic character. > > Enter new password: > Re-enter password: > mbn nss # nssmodutil -list -dbdir . > > Listing of PKCS #11 Modules > ----------------------------------------------------------- > 1. NSS Internal PKCS #11 Module > slots: 2 slots attached > status: loaded > > slot: NSS Internal Cryptographic Services > token: NSS Generic Crypto Services > > slot: NSS User Private Key and Certificate Services > token: NSS Certificate DB > ----------------------------------------------------------- > mbn nss # nssmodutil -add roots -libfile /usr/lib64/nss/libnssckbi.so -dbdir . > > WARNING: Performing this operation while the browser is running could cause > corruption of your security databases. If the browser is currently running, > you should exit browser before continuing this operation. Type > 'q <enter>' to abort, or <enter> to continue: > > Module "roots" added to database. > mbn nss # nssmodutil -list -dbdir . > > Listing of PKCS #11 Modules > ----------------------------------------------------------- > 1. NSS Internal PKCS #11 Module > slots: 2 slots attached > status: loaded > > slot: NSS Internal Cryptographic Services > token: NSS Generic Crypto Services > > slot: NSS User Private Key and Certificate Services > token: NSS Certificate DB > > 2. roots > library name: /usr/lib64/nss/libnssckbi.so > slots: 1 slot attached > status: loaded > > slot: NSS Builtin Objects > token: Builtin Object Token > ----------------------------------------------------------- > mbn nss # nsscertutil -L -d . -h all > > Certificate Nickname Trust Attributes > SSL,S/MIME,JAR/XPI > > Builtin Object Token:Verisign/RSA Secure Server CA CG,C, > Builtin Object Token:GTE CyberTrust Root CA CG,C,C > Builtin Object Token:GTE CyberTrust Global Root CG,C,C > <snip> you get the point > > (BTW, ignore the "nss" prepended to the beginning of all the commands, I > filed a bug with Gentoo a while back to have the NSS command-line utils be > built by default and they didn't want a binary called "digest" laying around > among others so they prepend "nss" before all the commands.) > > At this point you can follow my previous directions. Sorry I didn't > explicitly mention this piece earlier. > > Good luck, > Dave > > -----Original Message----- > That doesn't give me the list of nicknames in the Builtin Object > Token, that just gives me the list of nicknames in the softtoken. (I > doubt that nssckbi is supposed to include this...) > > KyleMac:.netscape kyanha$ certutil -L -d . -h "Builtin Object Token" > [...] > StartCom Free Certificate Member's StartCom Ltd. ID u,u,u > [...] > > Notably, modutil -list gives me this: > > ----------------------------------------------------------- > 1. NSS Internal PKCS #11 Module > slots: 2 slots attached > status: loaded > > slot: NSS Internal Cryptographic Services > token: NSS Generic Crypto Services > > slot: NSS User Private Key and Certificate Services > token: NSS Certificate DB > ----------------------------------------------------------- > > It does this regardless of whether I have libnssckbi.dylib (I'm on Mac > OS X Leopard 10.5.6) in the profile directory. It also does this > regardless of whether I have all of Firefox.app/Contents/MacOS/*.dylib > in the profile directory. And it especially does this even when I'm > in the profile directory. > > The version of nss I'm using is @3.11.9 (net), provided by darwinports. > > -Kyle H > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
