- This page is part of the SSL Reference that we are migrating into the format described in the MDN Style Guide. If you are inclined to help with this migration, your help would be very much appreciated.
- Upgraded documentation may be found in the Current NSS Reference
Getting Started With SSL
Chapter 2
Getting Started With SSL
This chapter describes how to set up your environment, including certificate and key databases.
SSL, PKCS #11, and the Default Security Databases
Setting Up the Certificate and Key Databases
Building NSS Programs
SSL, PKCS #11, and the Default Security Databases
The basic relationships among the NSS libraries are described in Introduction to Network Security Services. Before running the sample programs, it's important to understand the relationships between the SSL interface, the PKCS #11 interface, PKCS #11 modules, and the default Netscape security databases.
Figure 2.1 illustrates the relationships between NSPR, SSL, PKCS #11, and the available cryptographic modules. SSL is built on top of NSPR, which handles sockets, threads, and related low-level OS operations. On any given server or client, one or more PKCS #11 modules may be available.
Figure 2.1 Relationships among NSS libraries, cryptographic modules, slots, and tokens
Netscape provides three built-in modules with NSS and with server and client products:
- The default Netscape Internal PKCS #11 Module comes with two built-in tokens:
- The Generic Crypto Services token performs all cryptographic operations, such as encryption, decryption, and hashing.
- The Communicator Certificate DB token handles all communication with the certificate and key database files (called
cert
X.db
andkey
X.db
, respectively, where X is a version number) that store certificates and keys.
- The FORTEZZA module is intended for use with FORTEZZA hardware tokens.
- The FIPS 140-1 module is compliant with the FIPS 140-1 government standard for implementations of cryptographic modules. Many products sold to the U.S. government must comply with one or more of the FIPS standards. The FIPS 140-1 module includes a single, built-in FIPS 140-1 Certificate DB token (see Figure 2.1), which handles both cryptographic operations and communication with the
cert
X.db
andkey
X.db
files.
Setting Up the Certificate and Key Databases
Setting Up the CA DB and Certificate
Setting Up the Server DB and Certificate
Setting Up the Client DB and Certificate
Verifying the Server and Client Certificates
WARNING: The instructions below illustrate the use of NSS command line tools to operate a simple root Certificate Authority for test purposes only. The CA, SSL server and SSL client certificates produced by these instructions work correctly for short term testing purposes. Although it is possible to use NSS command line tools to operate a proper CA, these instructions do not provide nearly enough understanding of the many considerations required to competently operate a CA. The NSS teams strongly recommends that users should not attempt to operate a CA for use in mission critical production business uses using NSS's command line tools, nor with the simple command line test tools that come with any package of cryptographic libraries. Many who have attempted it have eventually come to regret that decision. For production deployment, the NSS team strongly recommends that you either:
- Use certificates from a competent third-party CA that is already known to your relying party software (e.g. your SSL clients), or
- Use professional grade CA software, such as Red Hat's Dogtag Certificate System, to set up and operate your own CA and issue your own certificates.
For complete information about the command-line options used in the examples that follow, see Using the Certificate Database Tool.
Setting Up the CA DB and Certificate
Set up the CA with its own separate set of databases.
- Create a new certificate database in the
CA_db
directory.
>mkdir CA_db
>certutil -N -d CA_db - Create the self-signed Root CA certificate, specifying the subject name for the certificate.
>certutil -S -d CA_db -n "MyCo's Root CA" -s "CN=My CA,O=MyCo,ST=California,C=US" -t "CT,," -x -2
Enter Password or Pin for "Communicator Certificate DB": - Extract the CA certificate from the CA's certificate database to a file.
>certutil -L -d CA_db -n "MyCo's Root CA" -a -o CA_db/rootca.crt
Enter Password or Pin for "Communicator Certificate DB": - Display the contents of the CA's certificate databases.
>certutil -L -d CA_db
Setting Up the Server DB and Certificate
The sections that follow describe how to set up the Server DB and certificate:
- Create a new certificate database in the
server_db
directory.
>mkdir server_db
>certutil -N -d server_db - Import the new CA certificate into the server's certificate database, and mark it trusted for issuing certificates for SSL client and server authentication.
>certutil -A -d server_db -n "MyCo's Root CA" -t "TC,," -a -i CA_db/rootca.crt
- Create the server certificate request, specifying the subject name for the server certificate. We make the common name (CN) be identical to the hostname of the server. Note that this step generates the server's private key, so it must be done in the server's database directory.
>certutil -R -d server_db -s "CN=myco.mcom.org,O=MyCo,ST=California,C=US" -a -o server_db/server.req
Enter Password or Pin for "Communicator Certificate DB": - This step simulates the CA signing and issuing a new server certificate based on the server's certificate request. The new cert is signed with the CA's private key, so this operation uses the CA's databases. This step leaves the server's new certificate in a file.
>certutil -C -d CA_db -c "MyCo's Root CA" -a -i server_db/server.req -o server_db/server.crt -2 -6
Enter Password or Pin for "Communicator Certificate DB": - Import (Add) the new server certificate to the server's certificate database in the
server_db
directory with the appropriate nickname. Notice that no trust is explicitly needed for this certificate.
>certutil -A -d server_db -n myco.mcom.org -a -i server_db/server.crt -t ",,"
- Display the contents of the server's certificate databases.
>certutil -L -d server_db
Setting Up the Client DB and Certificate
Setting up the client certificate database involves three stages:
- Create a new certificate database in the
client_db
directory.
>mkdir client_db
>certutil -N -d client_db - Import the new CA certificate into the client's certificate database, and mark it trusted for issuing certificates for SSL client and server authentication.
>certutil -A -d client_db -n "MyCo's Root CA" -t "TC,," -a -i CA_db/rootca.crt
- Create the client certificate request, specifying the subject name for the certificate.
>certutil -R -d client_db -s "CN=Joe Client,O=MyCo,ST=California,C=US" -a -o client_db/client.req
Enter Password or Pin for "Communicator Certificate DB": - This step simulates the CA signing and issuing a new client certificate based on the client's certificate request. The new cert is signed with the CA's private key, so this operation uses the CA's databases. This step leaves the client's new certificate in a file.
>certutil -C -d CA_db -c "MyCo's Root CA" -a -i client_db/client.req -o client_db/client.crt -2 -6
Enter Password or Pin for "Communicator Certificate DB": - Add the new client certificate to the client's certificate database in the
client_db
directory with the appropriate nickname. Notice that no trust is required for this certificate.
>certutil -A -d client_db -n "Joe Client" -a -i client_db/client.crt -t ",,"
- Display the contents of the client's certificate databases.
>certutil -L -d client_db
Verifying the Server and Client Certificates
>certutil -V -d server_db -u V -n myco.mcom.org
certutil: certificate is valid
>certutil -V -d client_db -u C -n "Joe Client"
certutil: certificate is valid
Building NSS Programs
-c -O2 -MD -W3 -nologo -D_X86_ -GT -DWINNT -DXP_PC -UDEBUG -U_DEBUG -DNDEBUG -DWIN32 -D_WINDOWS