NSS

From Dogtag
Jump to: navigation, search

Certificate Trust Flags

Flag Attributes
C TRUSTED_CA, VALID_CA
T TRUSTED_CLIENT_CA, VALID_CA
c VALID_CA
P TRUSTED, TERMINAL_RECORD
p TERMINAL_RECORD
u USER
w SEND_WARN
I INVISIBLE_CA
G GOVT_APPROVED_CA

See PKCS12.encodeFlags() and PKCS12.decodeFlags().

Debugging

Installing NSS debug packages

$ yum install yum-utils
$ debuginfo-install nss

Enabling NSS debug logs

The NSS security libraries provide the crypto foundation around which all of the Dogtag services are derived. This section gives example on how to debug NSS (PKCS11) in the Dogtag server.

Find the name of the PKCS #11 module:

$ modutil -list -nocertdb -dbdir /var/lib/pki/pki-tomcat/alias

To debug the client, specify the following environment variables:

$ export NSPR_LOG_MODULES="all:5"
$ export NSPR_LOG_FILE="/tmp/pkcs11.log"
$ export NSS_DEBUG_PKCS11_MODULE="NSS Internal PKCS #11 Module"

To debug the server, specify the environment variables in /etc/sysconfig/pki-tomcat:

NSPR_LOG_MODULES="all:5"
NSPR_LOG_FILE="/tmp/pki-tomcat.log"
NSS_DEBUG_PKCS11_MODULE="NSS Internal PKCS #11 Module"

Then start/restart the server:

$ systemctl start pki-tomcatd@pki-tomcat.service

The log messages will be written into the specified log file.

See also:

Database Type

NSS supports two types of database:

  • dbm
  • sql

The default type of the database can be specified in NSS_DEFAULT_DB_TYPE environment variable.

See also Changes/NSSDefaultFileFormatSql.

References