Two new notes:

1) Extracting the root CA cert DB from FF3 manually (GUI + Select all)
to PEM works fine with
$ openssl s_client -verify 4 -connect 2>& 1 | egrep \
"Verify\ return\ code"
Verify return code: 0 (ok)

2) I'm unable to find the file system database that contains the root
CA, otherwise the process could be automated:

$ for a in $(certutil -L -d ~/.mozilla/firefox/3u995ypq.default/ |
egrep -v "Nickname" | cut -f1 -d ' ' -s ); do certutil -L -d
~/.mozilla/firefox/3u995ypq.default/ -a -n "$a" > /tmp/"$a".pem; done


1) certutil(8) is awful and doesn't escape the DB "nick" column with
quotes, making it impossible to regex out the cert name.
2) In FC9 and FBSD7, neither /etc/pki/nssdb/ or
/usr/{local/share|lib64)/firefox-3.0.1 has the the certutil
format'd DB to automate the extract process from.

Anyway, the root CA DB doesn't change very often, so code can be written
around this for now.


On Wed, 11 Apr 2007, Brian A. Seklecki wrote:

> These scripts are great thank you very much to all involved who contributed
> (no e-mail address for 'mastrboy'). . I'm considering spending some time
> adding additional functionality:
> --
> In addition to simply parsing the date and comparing the date/time, I'd like
> to test the validity of the X.509 Cert against it's PKI infrastructure using
> the OpenSSL routines.
> I'm pretty sure that this can be accomplished by checking the result code of
> openssl 's_client' or 'verify'; both permit for -CApath and -CAfile.
> For internal PKI, this is pretty straightforward; just specify your
> organization's Root CA Cert.
> For public cert verification; it gets tricky because you have to take a
> certificate store like the Mozilla NSS/NSPR default and convert it into
> OpenSSL c_rehash format -- taking ideas on that here.
> Thoughts?
> l8*
> -lava (Brian A. Seklecki - Pittsburgh, PA, USA)

-lava (Brian A. Seklecki - Pittsburgh, PA, USA)

"Guilty? Yeah. But he knows it. I mean, you're guilty.
You just don't know it. So who's really in jail?"
~Maynard James Keenan

__________________________________________________ ____________________
OpenSSL Project
User Support Mailing List
Automated List Manager