From Fedora Project Wiki

This page is a draft only
It is still under construction and content may change. Do not rely on the information on this page.

Testing out system NSS.

Part 1: enabling system NSS:

In Fedora 12, system NSS is available, but not enabled. A script automatically enables system NSS for you when you install system-nss 1) Creates sql db's from the local dbm database. 2) Changes /etc/pki/nssdb/pkcs11.txt as follows:

 2a) stanza with NSS Internal PKCS #11 Module, changes from:
   library=
 to
   library=libnsssysinit.so
 2b) in the same stanza, on the NSS= changes the Flags from:
   Flags=internal,critical
 to
   Flags=internal,moduleDBOnly,critical
 2c) Note, there are no spaces in the library= line, nor any spaces between the flags.

3) Add to your ~/.bashrc (or your ~/.cshrc):

   export NSS_DEFAULT_DB_TYPE=sql
  [ for csh/tcsh that would be setenv 'NSS_DEFAULT_DB_TYPE sql' ]

4) A yourself (not as root!!!) execute

 certutil -N -d sql:/etc/pki/nssdb

If you supply a password, this password will eventually become your new firefox/thunderbird master password.

Part 2: convince Firefox, Seamonkey, Xulrunner and Thunderbird to use system NSS. Firefox and Thunderbird still use private directories to store their NSS databases. It's possible, however, to convince them to open system NSS. All these steps should be performed as a user. In the future these applications would handle these steps by themselves automatically.

Do each of the following steps in each of the profile directories for which you wish to use system NSS in. Firefox, Thunderbird, and Seamonkey each have their own directories and can have multiple profiles (if you don't know what a profile is, you probably only have one per application). You can find the base of the profile directories for firefox at ~/.mozilla/firefox and thunderbird at ~/.thunderbird. In that base directory there is a file called 'profiles.ini' which lists all the profiles that are known for that application. For each profile there's a line called 'Path=' which points to the actual profile directory. Usually it's a subdirectory under the current directory and has a random 'salted' name like 'quxz7me5.default'. do the following instructions while cd'd to that directory:

1) certutil -K -X -d sql:.

  (if you have a master password set, You'll have to provide it here). This will create a new sql database from your old dbm database.

2) certutil --merge -d sql:~/.pki/nssdb --source-dir sql:.

  (if you have a password set on sql:~/.pki/nssdb (from step 4 above), You'll have to provide it here. If that password is different from the master password for the profile, you'll also have to supply the profile password. If ~/.pki/nssdb has to password, but the profile database does, ~/.pki/nssdb will inherit that password (which you will then need on future instances of this step). If you want to change that password use 'certutil -N -d sql:~/.pki/nssdb'. Supplying an empty password will remove any password.

2) edit pkcs11.txt

  2a) in the 'NSS Internal PKCS #11 Module' stanza. change:
   parameters=configdir='/home/{you}/.mozilla/firefox/quxy6me8.default' ..... Flags=internal,critical
     to
   parameters="configdir='sql:/etc/pki/nssdb' ..... Flags=internal,critical,moduleDBOnly"
  NOTE: the ... represents a very long string of parameters that should remain the same. Note the addition of the double quotes around the parameters. This tells NSS to use the parameters as given and now rebuild them based on application input.
  2b) save pkcs11.txt

3) Make sure you set NSS_DEFAULT_DB_TYPE to sql in your environment before you start FF or TB

Restoring your system to the old databases: Simply unset the NSS_DEFAULT_DB_TYPE variable and all your applications will fall back to their former dbm style database

4) Import a certificate into the system database (as root). For example:

# curl -k https://www.cacert.org/certs/root.crt > cacert.crt
# setup-nsssysinit off
# certutil -d /etc/pki/nssdb -t TC,TC,TC -E -i cacert.crt -n cacert
# setup-nsssysinit on

Note that the fact that you have to turn the sysinit module off to import into the system database is probably a bug.

5) Start firefox and check that you can receive https://www.cacert.org/ without SSL warnings.