On Thu, 2014-12-04 at 22:25 +0000, Martinsson Patrik wrote: > > Maybe I should have been clearer from the beginning, it was actually > just pam_pkcs11 that didn't automatically picked up my CA, sorry if it > got confusing.
OK, and I suppose that makes sense. Because pam_pkcs11 doesn't *want* to blindly trust all those random foreign make-money-fast schemes^W^W CAs; it wants to trust only the CAs which you have explicitly *configured* for allowing access to this system. But that's actually perfect. Symlink /usr/lib64/libnssckbi.so to /usr/lib64/p11-kit-proxy.so so that the PKCS#11 modules which are configured in p11-kit actually *work* in those NSS apps which do load libnssckbi.so. Which is fairly much all the interesting user-facing ones. And point pam_pkcs11 at its *own* nssdb somewhere else, which doesn't have libnssckbi loaded. Just import your CA into that nssdb manually. For the rest of the system, *forget* nsssysinit; it's an experiment which is past its time and now best forgotten. Install your CA into /etc/pki/ca-trust, and your libnssckbi.so->p11-kit-proxy.so will ensure that NSS apps will pick it up appropriately if they want the system trust. That should basically solve it all for you, right? Apart from those recalcitrant apps which can't handle the protected login path. You can make use of the 'disable-in' option in /usr/share/p11-kit/modules/gnome-keyring.module to disable it in those, for now. -- dwmw2
smime.p7s
Description: S/MIME cryptographic signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
