[openssl-dev] OpenSSL and certain PEM formats
Kurt Roeckx
kurt at roeckx.be
Sun Dec 21 16:33:42 UTC 2014
On Sat, Dec 20, 2014 at 02:29:44PM +0000, Dr. Stephen Henson wrote:
> On Fri, Dec 19, 2014, Sean Leonard wrote:
>
> >
> > On Dec 19, 2014, at 11:35 AM, Kurt Roeckx <kurt at roeckx.be> wrote:
> >
> > > On Fri, Dec 19, 2014 at 03:05:32PM +0000, Viktor Dukhovni wrote:
> > >> On Fri, Dec 19, 2014 at 08:47:55AM -0500, Daniel Kahn Gillmor wrote:
> > >>
> > >>> Does OpenSSL have documented someplace exactly what it means to have a
> > >>> "TRUSTED CERTIFICATE"?
> > >>
> > >> It is a certificate + auxiliary data which specifies a friendly name
> > >> plus a set of EKUs.
> > >
> > > Mozilla provides a list of root certificates and that includes at
> > > least the trust settings for that certificate.
> >
> > What exactly is the Mozilla (NSS) format? How does it differ from the OpenSSL format?
> >
>
> The last time I checked NSS stored the trust data in a database (Berkeley DB)
> and the trust attributes could be accessed via PKCS#11. I'm not aware of any
> way to export the certificates to a file which retains the trust settings.
>
> I'm not aware of any standard for trust settings. There certainly wasn't
> one when this was added to OpenSSL.
The source is actually a text file you can see here:
https://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt
As far as I know they turn the file into a database, not the other
way around.
Kurt
More information about the openssl-dev
mailing list