I've seen various posts about people trying to export and import certificates from and to the NSS certificate store. I have some vague memories of questions asking whether or not platform specific cert stores could be used, but AFAIK there has been no real work done about this.
I'd like to know if anyone is actually working on this, or maybe even gotten some sort of solution?
I understand several large organizations face big problems with software that ships with their own certificate stores, and would like to use the platform store for everything.
Heikki, No point in being vague about this. Tell us what platform(s) and for each one, what store(s) you care about. Also, is your concern for CA certs, or a user's personal certs, or both?
NSS now ships with Solaris, and it isn't stretching the truth too much to say that NSS *IS* the platform cert store for Solaris. I gather the situation for Linux is somewhat similar (at least for certain distros). I'm not sure about the situation for Mac.
Windows has its own store. PKCS11 is a standard hammered out by Netscape and Microsoft back in '96 or '97 specifically for moving a user's personal certs from either one of their stores to the other. It's supported in Windows and in mozilla products, and by virtually every PKI software vendor. Windows can also export CA certs (IIRC), and mozilla can import them. moz doesn't yet export CA certs, but you don't seem to be calling for that.
Achieving a higher level of integration with a platform's cert store means writing a shared library for each platform that makes its cert store appear to be a PKCS11 module with a permanent "slot" and "token" that contains certs and trust objects, just as NSS's own "built-ins" module does now.
NSS provides a pretty complete source framework for developing such a thing.
It contains all the parts needed for PKCS11, and just lacks the platform specific code. NSS's own "built in" root cert module is built on that
framework, as proof of concept.
-- Nelson B _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
