Root Certificate Authorities will soon stop issuing certificates to non official TLD's https://www.digicert.com/internal-names.htm at least they will no longer sign them with their widely known PKI keys. We have lots of internal domains with multiple CA's. Some are signed by various commercial CA's some are signed by our own CA's.
Rather than update each users personal key store with certutil.exe -A -d %appdata%\mozilla\firefox\profiles\godknowswhatname.default -t C,, -i \\someserver\share\cert.x509.der for each private CA, we thought it would be nice to just add our CA's to the nssckbi.dll On a windows 7 64 bit machine, I followed info found here: https://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/README and here: https://developer.mozilla.org/en-US/docs/Mozilla/Developer_guide/Build_Instructions/Windows_Prerequisites to download the source that matches the version of firefox we are running. mdkir /c/mozilla-source cd /c/mozilla-source hg clone https://hg.mozilla.org/releases/mozilla-esr24/ hg clone https://hg.mozilla.org/projects/nspr/ mv /c/mozilla-source/nspr /c/mozilla-source/mozilla-esr24/security/ set OS_TARGET=WINNT cd /c/mozilla-source/mozilla-esr24/security/nss make nss_build_all cp /c/mozilla-source/mozilla-esr24/security/dist/WIN954.0_DBG.OBJ/lib/*.dll /c/mozilla-source/mozilla-esr24/security/dist/WIN954.0_DBG.OBJ/bin /c/mozilla-source/mozilla-esr24/security/dist/WIN954.0_DBG.OBJ/bin/addbuiltin -n "Our CA!" -t C,C,C < /c/temp/cert.x509.der >> /c/mozilla-source/mozilla-esr24/security/nss/lib/ckfw/builtins/certdata.txt make nss_build_all cp /c/mozilla-source/mozilla-esr24/security/dist/WIN954.0_DBG.OBJ/lib/freebl3.chk /c/tmp/ cp /c/mozilla-source/mozilla-esr24/security/dist/WIN954.0_DBG.OBJ/lib/freebl3.dll /c/tmp/ cp /c/mozilla-source/mozilla-esr24/security/dist/WIN954.0_DBG.OBJ/lib/nssckbi.dll /c/tmp/ We then distributed these three files to the machines that have ESR 24.2.0 on them. 1. Is this a recommended practice? 2. What happens during an upgrade say to ESR 38.0, will the dll be overwritten? 3. Was it necessary to download the whole ESR release or could we have just fetched NSS and NSPR? 4.Do the versions need to match between the ESR and NSS? 5. Why didnt nssckbi.dll work alone, why did I have to copy freebl3.dll and chk too? 6. Are there plans for a NSS system certificate store that supplements nssckbi.dll? Like a system c:\program files (x86)\mozilla firefox\key3.db and cert8/9.db? Maybe thats already a feature? -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
