This README file explains how to add a builtin root CA certificate to NSS or remove a builtin root CA certificate from NSS. The builtin root CA certificates in NSS are stored in the nssckbi PKCS #11 module. The sources to the nssckbi module are in this directory. I. Adding a Builtin Root CA Certificate You need to use the addbuiltin command-line tool to add a root CA certificate to the nssckbi module. In the procedure described below, we assume that the new root CA certificate is distributed in DER format in the file newroot.der. 1. Add the directory where the addbuiltin executable resides to your PATH environment variable. Then, add the directory where the NSPR and NSS shared libraries (DLLs) reside to the platform-specific environment variable that specifies your shared library search path: LD_LIBRARY_PATH (most Unix variants), SHLIB_PATH (32-bit HP-UX), LIBPATH (AIX), or PATH (Windows). 2. Copy newroot.der to this directory. 3. In this directory, run addbuiltin to add the new root certificate. The argument to the -n option should be replaced by the nickname of the root certificate. % addbuiltin -n "Nickname of the Root Certificate" -t C,C,C < newroot.der \ >> certdata.txt 4. Edit nssckbi.h to bump the version of the module. 5. Run gmake in this directory to build the nssckbi module. 6. After you verify that the new nssckbi module is correct, check in certdata.txt and nssckbi.h. II. Removing a Builtin Root CA Certificate 1. Change directory to this directory. 2. Edit certdata.txt and remove the root CA certificate. 3. Edit nssckbi.h to bump the version of the module. 4. Run gmake in this directory to build the nssckbi module. 5. After you verify that the new nssckbi module is correct, check in certdata.txt and nssckbi.h. III. Scheduling a Distrust date for Server/TLS or Email certificates issued by a CA For each Builtin Root CA Certificate we have the Trust Bits to know what kind of certificates issued by this CA are trusted: Server/TLS, E-mail or S/MIME. Sometimes a CA discontinues support for a particular kind of certificate, but will still issue other kinds. For instance, they might cease support for email certificates but continue to provide server certificates. In this scenario, we have to disable the Trust Bit for this kind of certificate when the last issued certificate expires. Between the last expired certificate date and the change and propagation of this respective Trust Bit, could have a undesired gap. So, in these situations we can set a Distrust Date for this Builtin Root CA Certificate. Clients should check the distrust date in certificates to avoid trusting a CA for service they have ceased to support. A distrust date is a timestamp in unix epoch, encoded in DER format and saved in certdata.txt. These fields are defined at the "Certificate" entries of certdata.txt, in a MULTILINE_OCTAL format. By default, for readability purpose, these fields are set as a boolean CK_FALSE and will be ignored when read. 1. Create the timestamp for the desired distrust date. An easy and practical way to do this is using the date command. % date -d "2019-07-01 00:00:00 UTC" +%s The result should be something like: 1561939200 2. Then, run the addbuiltin -d to verify the timestamp and do the right conversions. The -d option takes the timestamp as an argument, which is interpreted as seconds since unix epoch. The addbuiltin command will show the result in the stdout, as it should be inserted in certdata.txt. % addbuiltin -d 1561939200 The result should be something like this: The timestamp represents this date: Mon Jul 01 00:00:00 2019 Locate the entry of the desired certificate in certdata.txt Erase the CKA_NSS_[SERVER|EMAIL]_DISTRUST_AFTER CK_BBOOL CK_FALSE And override with the following respective entry: # For Server Distrust After: Mon Jul 01 00:00:00 2019 CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL \061\071\060\067\060\061\060\060\060\060\060\060\132 END # For Email Distrust After: Mon Jul 01 00:00:00 2019 CKA_NSS_EMAIL_DISTRUST_AFTER MULTILINE_OCTAL \061\071\060\067\060\061\060\060\060\060\060\060\132 END 3. Edit the certdata.txt, overriding the desired entry for the desired CA, as the instructions generated by the previous command. 4. If necessary, increment the version counter NSS_BUILTINS_LIBRARY_VERSION_MINOR in nssckbi.h. 5. Build the nssckbi module. 6. A good way to test is with certutil: % certutil -L -d $DBDIR -n "Builtin Object Token:"