I am extending our application software to function as an LDAP/SSL client for login authentication. To do this, I have built the Mozilla LDAP C SDK 6.0.4 with NSS 3.11.9 and NSPR 4.7.
Obviously, our customers have to set up cert8.db and key3.db files that will trust the certificate of the LDAP server. In my development environment, certutil and pk12util do that quite nicely. But some customers may prefer to use a full-scale PKI instead in their production environments. Also, in the NSS documentation at http://www.mozilla.org/projects/security/pki/nss/ref/ssl/gtstd.html#1011987 I find the following warning: WARNING: The CA certificate you produce with the NSS tools is a self-signed certificate that works correctly for testing purposes but should not be used in a real-world deployment. Similarly, the client SSL and server SSL certificates created with the NSS tools are for testing purposes only. To deploy certificates used in a real public-key infrastructure (PKI), either use a third-party CA or use a certificate server (such as Netscape Certificate Management System) to set up your own CA and issue certificates. The Certificate Database Tool does not provide the facilities for a full-blown PKI deployment, and the certificates it creates should not be considered trustworthy for that purpose. So I have two questions: 1 - If a customer wants to use some PKI software instead of certutil/pk12util to distribute and install server and/or client certificates, which versions of which PKI products should produce cert8.db and key3.db files that will work for SSL with NSS 3.11.9? 2 - Aside from issues of convenience and scalability, are there any security problems with using certutil and/or pk12util to build and maintain cert8db and key3.db databases specifically for an LDAP/SSL client? (We do not supply the LDAP/SSL server, so users will presumably get their certificates from some CA and/or use some other tools to create them.) Dennis Darch SofTech, Inc. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto