horok/firefox
1
0
Fork 0
Code Activity
firefox/security/nss/doc/rst/legacy/tools/modutil/index.rst
Daniel Baumann 5e9a113729
Adding upstream version 140.0. 
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
2025-06-25 09:37:52 +02:00

631 lines
33 KiB
ReStructuredText
Raw Permalink Blame History

.. _mozilla_projects_nss_tools_modutil:
NSS tools : modutil
===================
.. container::
| Name
| modutil — Manage PKCS #11 module information within the security module
| database.
| Synopsis
| modutil [options] `arguments <arguments>`__
| Description
| The Security Module Database Tool, modutil, is a command-line utility for
| managing PKCS #11 module information both within secmod.db files and
| within hardware tokens. modutil can add and delete PKCS #11 modules,
| change passwords on security databases, set defaults, list module
| contents, enable or disable slots, enable or disable FIPS 140-2
| compliance, and assign default providers for cryptographic operations.
| This tool can also create certificate, key, and module security database
| files.
| The tasks associated with security module database management are part of
| a process that typically also involves managing key databases and
| certificate databases.
| Options
| Running modutil always requires one (and only one) option to specify the
| type of module operation. Each option may take arguments, anywhere from
| none to multiple arguments.
| Options
| -add modulename
| Add the named PKCS #11 module to the database. Use this option
| with the -libfile, -ciphers, and -mechanisms arguments.
| -changepw tokenname
| Change the password on the named token. If the token has not been
| initialized, this option initializes the password. Use this option
| with the -pwfile and -newpwfile arguments. A password is
| equivalent to a personal identification number (PIN).
| -chkfips
| Verify whether the module is in the given FIPS mode. true means to
| verify that the module is in FIPS mode, while false means to
| verify that the module is not in FIPS mode.
| -create
| Create new certificate, key, and module databases. Use the -dbdir
| directory argument to specify a directory. If any of these
| databases already exist in a specified directory, modutil returns
| an error message.
| -default modulename
| Specify the security mechanisms for which the named module will be
| a default provider. The security mechanisms are specified with the
| -mechanisms argument.
| -delete modulename
| Delete the named module. The default NSS PKCS #11 module cannot be
| deleted.
| -disable modulename
| Disable all slots on the named module. Use the -slot argument to
| disable a specific slot.
| -enable modulename
| Enable all slots on the named module. Use the -slot argument to
| enable a specific slot.
| -fips [true \| false]
| Enable (true) or disable (false) FIPS 140-2 compliance for the
| default NSS module.
| -force
| Disable modutil's interactive prompts so it can be run from a
| script. Use this option only after manually testing each planned
| operation to check for warnings and to ensure that bypassing the
| prompts will cause no security lapses or loss of database
| integrity.
| -jar JAR-file
| Add a new PKCS #11 module to the database using the named JAR
| file. Use this command with the -installdir and -tempdir
| arguments. The JAR file uses the NSS PKCS #11 JAR format to
| identify all the files to be installed, the module's name, the
| mechanism flags, and the cipher flags, as well as any files to be
| installed on the target machine, including the PKCS #11 module
| library file and other files such as documentation. This is
| covered in the JAR installation file section in the man page,
| which details the special script needed to perform an installation
| through a server or with modutil.
| -list [modulename]
| Display basic information about the contents of the secmod.db
| file. Specifying a modulename displays detailed information about
| a particular module and its slots and tokens.
| -rawadd
| Add the module spec string to the secmod.db database.
| -rawlist
| Display the module specs for a specified module or for all
| loadable modules.
| -undefault modulename
| Specify the security mechanisms for which the named module will
| not be a default provider. The security mechanisms are specified
| with the -mechanisms argument.
| Arguments
| MODULE
| Give the security module to access.
| MODULESPEC
| Give the security module spec to load into the security database.
| -ciphers cipher-enable-list
| Enable specific ciphers in a module that is being added to the
| database. The cipher-enable-list is a colon-delimited list of
| cipher names. Enclose this list in quotation marks if it contains
| spaces.
| -dbdir [sql:]directory
| Specify the database directory in which to access or create
| security module database files.
| modutil supports two types of databases: the legacy security
| databases (cert8.db, key3.db, and secmod.db) and new SQLite
| databases (cert9.db, key4.db, and pkcs11.txt). If the prefix sql:
| is not used, then the tool assumes that the given databases are in
| the old format.
| --dbprefix prefix
| Specify the prefix used on the database files, such as my\_ for
| my_cert8.db. This option is provided as a special case. Changing
| the names of the certificate and key databases is not recommended.
| -installdir root-installation-directory
| Specify the root installation directory relative to which files
| will be installed by the -jar option. This directory should be one
| below which it is appropriate to store dynamic library files, such
| as a server's root directory.
| -libfile library-file
| Specify a path to a library file containing the implementation of
| the PKCS #11 interface module that is being added to the database.
| -mechanisms mechanism-list
| Specify the security mechanisms for which a particular module will
| be flagged as a default provider. The mechanism-list is a
| colon-delimited list of mechanism names. Enclose this list in
| quotation marks if it contains spaces.
| The module becomes a default provider for the listed mechanisms
| when those mechanisms are enabled. If more than one module claims
| to be a particular mechanism's default provider, that mechanism's
| default provider is undefined.
| modutil supports several mechanisms: RSA, DSA, RC2, RC4, RC5, AES,
| DES, DH, SHA1, SHA256, SHA512, SSL, TLS, MD5, MD2, RANDOM (for
| random number generation), and FRIENDLY (meaning certificates are
| publicly readable).
| -newpwfile new-password-file
| Specify a text file containing a token's new or replacement
| password so that a password can be entered automatically with the
| -changepw option.
| -nocertdb
| Do not open the certificate or key databases. This has several
| effects:
| o With the -create command, only a module security file is
| created; certificate and key databases are not created.
| o With the -jar command, signatures on the JAR file are not
| checked.
| o With the -changepw command, the password on the NSS internal
| module cannot be set or changed, since this password is
| stored in the key database.
| -pwfile old-password-file
| Specify a text file containing a token's existing password so that
| a password can be entered automatically when the -changepw option
| is used to change passwords.
| -secmod secmodname
| Give the name of the security module database (like secmod.db) to
| load.
| -slot slotname
| Specify a particular slot to be enabled or disabled with the
| -enable or -disable options.
| -string CONFIG_STRING
| Pass a configuration string for the module being added to the
| database.
| -tempdir temporary-directory
| Give a directory location where temporary files are created during
| the installation by the -jar option. If no temporary directory is
| specified, the current directory is used.
| Usage and Examples
| Creating Database Files
| Before any operations can be performed, there must be a set of security
| databases available. modutil can be used to create these files. The only
| required argument is the database that where the databases will be
| located.
| modutil -create -dbdir [sql:]directory
| Adding a Cryptographic Module
| Adding a PKCS #11 module means submitting a supporting library file,
| enabling its ciphers, and setting default provider status for various
| security mechanisms. This can be done by supplying all of the information
| through modutil directly or by running a JAR file and install script. For
| the most basic case, simply upload the library:
| modutil -add modulename -libfile library-file [-ciphers cipher-enable-list] [-mechanisms
mechanism-list]
| For example:
| modutil -dbdir sql:/home/my/sharednssdb -add "Example PKCS #11 Module" -libfile
"/tmp/crypto.so" -mechanisms RSA:DSA:RC2:RANDOM
| Using database directory ...
| Module "Example PKCS #11 Module" added to database.
| Installing a Cryptographic Module from a JAR File
| PKCS #11 modules can also be loaded using a JAR file, which contains all
| of the required libraries and an installation script that describes how to
| install the module. The JAR install script is described in more detail in
| [1]the section called “JAR Installation File Format”.
| The JAR installation script defines the setup information for each
| platform that the module can be installed on. For example:
| Platforms {
| Linux:5.4.08:x86 {
| ModuleName { "Example PKCS #11 Module" }
| ModuleFile { crypto.so }
| DefaultMechanismFlags{0x0000}
| CipherEnableFlags{0x0000}
| Files {
| crypto.so {
| Path{ /tmp/crypto.so }
| }
| setup.sh {
| Executable
| Path{ /tmp/setup.sh }
| }
| }
| }
| Linux:6.0.0:x86 {
| EquivalentPlatform { Linux:5.4.08:x86 }
| }
| }
| Both the install script and the required libraries must be bundled in a
| JAR file, which is specified with the -jar argument.
| modutil -dbdir sql:/home/mt"jar-install-filey/sharednssdb -jar install.jar -installdir
sql:/home/my/sharednssdb
| This installation JAR file was signed by:
| ----------------------------------------------
| **SUBJECT NAME*\*
| C=US, ST=California, L=Mountain View, CN=Cryptorific Inc., OU=Digital ID
| Class 3 - Netscape Object Signing, OU="www.verisign.com/repository/CPS
| Incorp. by Ref.,LIAB.LTD(c)9 6", OU=www.verisign.com/CPS Incorp.by Ref
| . LIABILITY LTD.(c)97 VeriSign, OU=VeriSign Object Signing CA - Class 3
| Organization, OU="VeriSign, Inc.", O=VeriSign Trust Network \**ISSUER
| NAME**, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97
| VeriSign, OU=VeriSign Object Signing CA - Class 3 Organization,
| OU="VeriSign, Inc.", O=VeriSign Trust Network
| ----------------------------------------------
| Do you wish to continue this installation? (y/n) y
| Using installer script "installer_script"
| Successfully parsed installation script
| Current platform is Linux:5.4.08:x86
| Using installation parameters for platform Linux:5.4.08:x86
| Installed file crypto.so to /tmp/crypto.so
| Installed file setup.sh to ./pk11inst.dir/setup.sh
| Executing "./pk11inst.dir/setup.sh"...
| "./pk11inst.dir/setup.sh" executed successfully
| Installed module "Example PKCS #11 Module" into module database
| Installation completed successfully
| Adding Module Spec
| Each module has information stored in the security database about its
| configuration and parameters. These can be added or edited using the
| -rawadd command. For the current settings or to see the format of the
| module spec in the database, use the -rawlist option.
| modutil -rawadd modulespec
| Deleting a Module
| A specific PKCS #11 module can be deleted from the secmod.db database:
| modutil -delete modulename -dbdir [sql:]directory
| Displaying Module Information
| The secmod.db database contains information about the PKCS #11 modules
| that are available to an application or server to use. The list of all
| modules, information about specific modules, and database configuration
| specs for modules can all be viewed.
| To simply get a list of modules in the database, use the -list command.
| modutil -list [modulename] -dbdir [sql:]directory
| Listing the modules shows the module name, their status, and other
| associated security databases for certificates and keys. For example:
| modutil -list -dbdir sql:/home/my/sharednssdb
| Listing of PKCS #11 Modules
| -----------------------------------------------------------
| 1. NSS Internal PKCS #11 Module
| slots: 2 slots attached
| status: loaded
| slot: NSS Internal Cryptographic Services
| token: NSS Generic Crypto Services
| slot: NSS User Private Key and Certificate Services
| token: NSS Certificate DB
| -----------------------------------------------------------
| Passing a specific module name with the -list returns details information
| about the module itself, like supported cipher mechanisms, version
| numbers, serial numbers, and other information about the module and the
| token it is loaded on. For example:
| modutil -list "NSS Internal PKCS #11 Module" -dbdir sql:/home/my/sharednssdb
| -----------------------------------------------------------
| Name: NSS Internal PKCS #11 Module
| Library file: \**Internal ONLY module*\*
| Manufacturer: Mozilla Foundation
| Description: NSS Internal Crypto Services
| PKCS #11 Version 2.20
| Library Version: 3.11
| Cipher Enable Flags: None
| Default Mechanism Flags: RSA:RC2:RC4:DES:DH:SHA1:MD5:MD2:SSL:TLS:AES
| Slot: NSS Internal Cryptographic Services
| Slot Mechanism Flags: RSA:RC2:RC4:DES:DH:SHA1:MD5:MD2:SSL:TLS:AES
| Manufacturer: Mozilla Foundation
| Type: Software
| Version Number: 3.11
| Firmware Version: 0.0
| Status: Enabled
| Token Name: NSS Generic Crypto Services
| Token Manufacturer: Mozilla Foundation
| Token Model: NSS 3
| Token Serial Number: 0000000000000000
| Token Version: 4.0
| Token Firmware Version: 0.0
| Access: Write Protected
| Login Type: Public (no login required)
| User Pin: NOT Initialized
| Slot: NSS User Private Key and Certificate Services
| Slot Mechanism Flags: None
| Manufacturer: Mozilla Foundation
| Type: Software
| Version Number: 3.11
| Firmware Version: 0.0
| Status: Enabled
| Token Name: NSS Certificate DB
| Token Manufacturer: Mozilla Foundation
| Token Model: NSS 3
| Token Serial Number: 0000000000000000
| Token Version: 8.3
| Token Firmware Version: 0.0
| Access: NOT Write Protected
| Login Type: Login required
| User Pin: Initialized
| A related command, -rawlist returns information about the database
| configuration for the modules. (This information can be edited by loading
| new specs using the -rawadd command.)
| modutil -rawlist -dbdir sql:/home/my/sharednssdb
| name="NSS Internal PKCS #11 Module" parameters="configdir=. certPrefix= keyPrefix=
secmod=secmod.db flags=readOnly " NSS="trustOrder=75 cipherOrder=100
slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM askpw=any
timeout=30 ] } Flags=internal,critical"
| Setting a Default Provider for Security Mechanisms
| Multiple security modules may provide support for the same security
| mechanisms. It is possible to set a specific security module as the
| default provider for a specific security mechanism (or, conversely, to
| prohibit a provider from supplying those mechanisms).
| modutil -default modulename -mechanisms mechanism-list
| To set a module as the default provider for mechanisms, use the -default
| command with a colon-separated list of mechanisms. The available
| mechanisms depend on the module; NSS supplies almost all common
| mechanisms. For example:
| modutil -default "NSS Internal PKCS #11 Module" -dbdir -mechanisms RSA:DSA:RC2
| Using database directory c:\databases...
| Successfully changed defaults.
| Clearing the default provider has the same format:
| modutil -undefault "NSS Internal PKCS #11 Module" -dbdir -mechanisms MD2:MD5
| Enabling and Disabling Modules and Slots
| Modules, and specific slots on modules, can be selectively enabled or
| disabled using modutil. Both commands have the same format:
| modutil -enable|-disable modulename [-slot slotname]
| For example:
| modutil -enable "NSS Internal PKCS #11 Module" -slot "NSS Internal Cryptographic
Services " -dbdir .
| Slot "NSS Internal Cryptographic Services " enabled.
| Be sure that the appropriate amount of trailing whitespace is after the
| slot name. Some slot names have a significant amount of whitespace that
| must be included, or the operation will fail.
| Enabling and Verifying FIPS Compliance
| The NSS modules can have FIPS 140-2 compliance enabled or disabled using
| modutil with the -fips option. For example:
| modutil -fips true -dbdir sql:/home/my/sharednssdb/
| FIPS mode enabled.
| To verify that status of FIPS mode, run the -chkfips command with either a
| true or false flag (it doesn't matter which). The tool returns the current
| FIPS setting.
| modutil -chkfips false -dbdir sql:/home/my/sharednssdb/
| FIPS mode enabled.
| Changing the Password on a Token
| Initializing or changing a token's password:
| modutil -changepw tokenname [-pwfile old-password-file] [-newpwfile new-password-file]
| modutil -dbdir sql:/home/my/sharednssdb -changepw "NSS Certificate DB"
| Enter old password:
| Incorrect password, try again...
| Enter old password:
| Enter new password:
| Re-enter new password:
| Token "Communicator Certificate DB" password changed successfully.
| JAR Installation File Format
| When a JAR file is run by a server, by modutil, or by any program that
| does not interpret JavaScript, a special information file must be included
| to install the libraries. There are several things to keep in mind with
| this file:
| o It must be declared in the JAR archive's manifest file.
| o The script can have any name.
| o The metainfo tag for this is Pkcs11_install_script. To declare
| meta-information in the manifest file, put it in a file that is passed
| to signtool.
| Sample Script
| For example, the PKCS #11 installer script could be in the file
| pk11install. If so, the metainfo file for signtool includes a line such as
| this:
| + Pkcs11_install_script: pk11install
| The script must define the platform and version number, the module name
| and file, and any optional information like supported ciphers and
| mechanisms. Multiple platforms can be defined in a single install file.
| ForwardCompatible { IRIX:6.2:mips SUNOS:5.5.1:sparc }
| Platforms {
| WINNT::x86 {
| ModuleName { "Example Module" }
| ModuleFile { win32/fort32.dll }
| DefaultMechanismFlags{0x0001}
| DefaultCipherFlags{0x0001}
| Files {
| win32/setup.exe {
| Executable
| RelativePath { %temp%/setup.exe }
| }
| win32/setup.hlp {
| RelativePath { %temp%/setup.hlp }
| }
| win32/setup.cab {
| RelativePath { %temp%/setup.cab }
| }
| }
| }
| SUNOS:5.5.1:sparc {
| ModuleName { "Example UNIX Module" }
| ModuleFile { unix/fort.so }
| DefaultMechanismFlags{0x0001}
| CipherEnableFlags{0x0001}
| Files {
| unix/fort.so {
| RelativePath{%root%/lib/fort.so}
| AbsolutePath{/usr/local/netscape/lib/fort.so}
| FilePermissions{555}
| }
| xplat/instr.html {
| RelativePath{%root%/docs/inst.html}
| AbsolutePath{/usr/local/netscape/docs/inst.html}
| FilePermissions{555}
| }
| }
| }
| IRIX:6.2:mips {
| EquivalentPlatform { SUNOS:5.5.1:sparc }
| }
| }
| Script Grammar
| The script is basic Java, allowing lists, key-value pairs, strings, and
| combinations of all of them.
| --> valuelist
| valuelist --> value valuelist
| <null>
| value ---> key_value_pair
| string
| key_value_pair --> key { valuelist }
| key --> string
| string --> simple_string
| "complex_string"
| simple_string --> [^ \\t\n\""{""}"]+
| complex_string --> ([^\"\\\r\n]|(\\\")|(\\\\))+
| Quotes and backslashes must be escaped with a backslash. A complex string
| must not include newlines or carriage returns.Outside of complex strings,
| all white space (for example, spaces, tabs, and carriage returns) is
| considered equal and is used only to delimit tokens.
| Keys
| The Java install file uses keys to define the platform and module
| information.
| ForwardCompatible gives a list of platforms that are forward compatible.
| If the current platform cannot be found in the list of supported
| platforms, then the ForwardCompatible list is checked for any platforms
| that have the same OS and architecture in an earlier version. If one is
| found, its attributes are used for the current platform.
| Platforms (required) Gives a list of platforms. Each entry in the list is
| itself a key-value pair: the key is the name of the platform and the value
| list contains various attributes of the platform. The platform string is
| in the format system name:OS release:architecture. The installer obtains
| these values from NSPR. OS release is an empty string on non-Unix
| operating systems. NSPR supports these platforms:
| o AIX (rs6000)
| o FREEBSD (x86)
| o HPUX (hppa1.1)
| o IRIX (mips)
| o LINUX (ppc, alpha, x86)
| o MacOS (PowerPC)
| o NCR (x86)
| o NEC (mips)
| o OSF (alpha)
| o SCO (x86)
| o SOLARIS (sparc)
| o SONY (mips)
| o SUNOS (sparc)
| o WINNT (x86)
| For example:
| IRIX:6.2:mips
| SUNOS:5.5.1:sparc
| Linux:2.0.32:x86
| WIN95::x86
| The module information is defined independently for each platform in the
| ModuleName, ModuleFile, and Files attributes. These attributes must be
| given unless an EquivalentPlatform attribute is specified.
| Per-Platform Keys
| Per-platform keys have meaning only within the value list of an entry in
| the Platforms list.
| ModuleName (required) gives the common name for the module. This name is
| used to reference the module by servers and by the modutil tool.
| ModuleFile (required) names the PKCS #11 module file for this platform.
| The name is given as the relative path of the file within the JAR archive.
| Files (required) lists the files that need to be installed for this
| module. Each entry in the file list is a key-value pair. The key is the
| path of the file in the JAR archive, and the value list contains
| attributes of the file. At least RelativePath or AbsolutePath must be
| specified for each file.
| DefaultMechanismFlags specifies mechanisms for which this module is the
| default provider; this is equivalent to the -mechanism option with the
| -add command. This key-value pair is a bitstring specified in hexadecimal
| (0x) format. It is constructed as a bitwise OR. If the
| DefaultMechanismFlags entry is omitted, the value defaults to 0x0.
| RSA: 0x00000001
| DSA: 0x00000002
| RC2: 0x00000004
| RC4: 0x00000008
| DES: 0x00000010
| DH: 0x00000020
| FORTEZZA: 0x00000040
| RC5: 0x00000080
| SHA1: 0x00000100
| MD5: 0x00000200
| MD2: 0x00000400
| RANDOM: 0x08000000
| FRIENDLY: 0x10000000
| OWN_PW_DEFAULTS: 0x20000000
| DISABLE: 0x40000000
| CipherEnableFlags specifies ciphers that this module provides that NSS
| does not provide (so that the module enables those ciphers for NSS). This
| is equivalent to the -cipher argument with the -add command. This key is a
| bitstring specified in hexadecimal (0x) format. It is constructed as a
| bitwise OR. If the CipherEnableFlags entry is omitted, the value defaults
| to 0x0.
| EquivalentPlatform specifies that the attributes of the named platform
| should also be used for the current platform. This makes it easier when
| more than one platform uses the same settings.
| Per-File Keys
| Some keys have meaning only within the value list of an entry in a Files
| list.
| Each file requires a path key the identifies where the file is. Either
| RelativePath or AbsolutePath must be specified. If both are specified, the
| relative path is tried first, and the absolute path is used only if no
| relative root directory is provided by the installer program.
| RelativePath specifies the destination directory of the file, relative to
| some directory decided at install time. Two variables can be used in the
| relative path: %root% and %temp%. %root% is replaced at run time with the
| directory relative to which files should be installed; for example, it may
| be the server's root directory. The %temp% directory is created at the
| beginning of the installation and destroyed at the end. The purpose of
| %temp% is to hold executable files (such as setup programs) or files that
| are used by these programs. Files destined for the temporary directory are
| guaranteed to be in place before any executable file is run; they are not
| deleted until all executable files have finished.
| AbsolutePath specifies the destination directory of the file as an
| absolute path.
| Executable specifies that the file is to be executed during the course of
| the installation. Typically, this string is used for a setup program
| provided by a module vendor, such as a self-extracting setup executable.
| More than one file can be specified as executable, in which case the files
| are run in the order in which they are specified in the script file.
| FilePermissions sets permissions on any referenced files in a string of
| octal digits, according to the standard Unix format. This string is a
| bitwise OR.
| user read: 0400
| user write: 0200
| user execute: 0100
| group read: 0040
| group write: 0020
| group execute: 0010
| other read: 0004
| other write: 0002
| other execute: 0001
| Some platforms may not understand these permissions. They are applied only
| insofar as they make sense for the current platform. If this attribute is
| omitted, a default of 777 is assumed.
| NSS Database Types
| NSS originally used BerkeleyDB databases to store security information.
| The last versions of these legacy databases are:
| o cert8.db for certificates
| o key3.db for keys
| o secmod.db for PKCS #11 module information
| BerkeleyDB has performance limitations, though, which prevent it from
| being easily used by multiple applications simultaneously. NSS has some
| flexibility that allows applications to use their own, independent
| database engine while keeping a shared database and working around the
| access issues. Still, NSS requires more flexibility to provide a truly
| shared security database.
| In 2009, NSS introduced a new set of databases that are SQLite databases
| rather than BerkleyDB. These new databases provide more accessibility and
| performance:
| o cert9.db for certificates
| o key4.db for keys
| o pkcs11.txt, which is listing of all of the PKCS #11 modules contained
| in a new subdirectory in the security databases directory
| Because the SQLite databases are designed to be shared, these are the
| shared database type. The shared database type is preferred; the legacy
| format is included for backward compatibility.
| By default, the tools (certutil, pk12util, modutil) assume that the given
| security databases follow the more common legacy type. Using the SQLite
| databases must be manually specified by using the sql: prefix with the
| given security directory. For example:
| modutil -create -dbdir sql:/home/my/sharednssdb
| To set the shared database type as the default type for the tools, set the
| NSS_DEFAULT_DB_TYPE environment variable to sql:
| export NSS_DEFAULT_DB_TYPE="sql"
| This line can be set added to the ~/.bashrc file to make the change
| permanent.
| Most applications do not use the shared database by default, but they can
| be configured to use them. For example, this how-to article covers how to
| configure Firefox and Thunderbird to use the new shared NSS databases:
| o https://wiki.mozilla.org/NSS_Shared_DB_Howto
| For an engineering draft on the changes in the shared NSS databases, see
| the NSS project wiki:
| o https://wiki.mozilla.org/NSS_Shared_DB
| See Also
| certutil (1)
| pk12util (1)
| signtool (1)
| The NSS wiki has information on the new database design and how to
| configure applications to use it.
| o https://wiki.mozilla.org/NSS_Shared_DB_Howto
| o https://wiki.mozilla.org/NSS_Shared_DB
| Additional Resources
| For information about NSS and other tools related to NSS (like JSS), check
| out the NSS project wiki at
|
[2]\ `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__.
The NSS site relates
| directly to NSS code changes and releases.
| Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto
| IRC: Freenode at #dogtag-pki
| Authors
| The NSS tools were written and maintained by developers with Netscape, Red
| Hat, and Sun.
| Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey
| <dlackey@redhat.com>.
| Copyright
| (c) 2010, Red Hat, Inc. Licensed under the GNU Public License version 2.
| References
| Visible links
| 1. JAR Installation File Format
| ``file:///tmp/xmlto.6gGxS0/modutil.pro...r-install-file``
| 2. https://www.mozilla.org/projects/security/pki/nss/
View git blame Copy permalink