linux: Refresh cert_management.md
- Use modern package manager invocations for Debian and Fedora. - Remove section about Ubuntu Jaunty, released back in 2009. - Update URLs that talk about certutil. The Oracle blog post is gone, so link to the archived version instead. - Stop talking about an NSS bug fixed 11 years ago. Change-Id: I965bb91214faed7506d2207421cd2ed165dc505e Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3891024 Commit-Queue: Thomas Anderson <thomasanderson@chromium.org> Auto-Submit: Raphael Kubo Da Costa <raphael.kubo.da.costa@intel.com> Reviewed-by: Thomas Anderson <thomasanderson@chromium.org> Cr-Commit-Position: refs/heads/main@{#1046403}
This commit is contained in:
Raphael Kubo da Costa
committed by
Chromium LUCI CQ
Chromium LUCI CQ
parent
62996d889d
commit
92e0de2655
@ -14,8 +14,8 @@ the
|
||||
|
||||
### Get the tools
|
||||
|
||||
* Debian/Ubuntu: `sudo apt-get install libnss3-tools`
|
||||
* Fedora: `su -c "yum install nss-tools"`
|
||||
* Debian/Ubuntu: `sudo apt install libnss3-tools`
|
||||
* Fedora: `sudo dnf install nss-tools`
|
||||
* Gentoo: `su -c "echo 'dev-libs/nss utils' >> /etc/portage/package.use &&
|
||||
emerge dev-libs/nss"` (You need to launch all commands below with the `nss`
|
||||
prefix, e.g., `nsscertutil`.)
|
||||
@ -25,14 +25,6 @@ the
|
||||
|
||||
certutil -d sql:$HOME/.pki/nssdb -L
|
||||
|
||||
#### Ubuntu Jaunty error
|
||||
|
||||
Above (and most commands) gives:
|
||||
|
||||
certutil: function failed: security library: invalid arguments.
|
||||
|
||||
Package version 3.12.3.1-0ubuntu0.9.04.2
|
||||
|
||||
### List details of a certificate
|
||||
|
||||
certutil -d sql:$HOME/.pki/nssdb -L -n <certificate nickname>
|
||||
@ -47,9 +39,9 @@ certutil -d sql:$HOME/.pki/nssdb -A -t <TRUSTARGS> -n <certificate nickname> \
|
||||
The TRUSTARGS are three strings of zero or more alphabetic characters, separated
|
||||
by commas. They define how the certificate should be trusted for SSL, email, and
|
||||
object signing, and are explained in the
|
||||
[certutil docs](http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html#1034193)
|
||||
[certutil docs](https://firefox-source-docs.mozilla.org/security/nss/legacy/tools/nss_tools_certutil/index.html)
|
||||
or
|
||||
[Meena's blog post on trust flags](https://blogs.oracle.com/meena/entry/notes_about_trust_flags).
|
||||
[Meena's blog post on trust flags](https://web.archive.org/web/20131212024426/https://blogs.oracle.com/meena/entry/notes_about_trust_flags).
|
||||
|
||||
For example, to trust a root CA certificate for issuing SSL server certificates,
|
||||
use
|
||||
@ -73,11 +65,6 @@ certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n <certificate nickname> \
|
||||
-i <certificate filename>
|
||||
```
|
||||
|
||||
This should work now, because
|
||||
[NSS bug 531160](https://bugzilla.mozilla.org/show_bug.cgi?id=531160) is claimed
|
||||
to be fixed in a related bug report. If it doesn't work, then to work around
|
||||
the NSS bug, you have to trust it as a CA using the "C,," trust flags.
|
||||
|
||||
#### Add a personal certificate and private key for SSL client authentication
|
||||
|
||||
Use the command:
|
||||
|
||||
Reference in New Issue
Block a user