[Swan-dev] NSS update

Paul Wouters paul at nohats.ca
Wed Mar 4 20:28:34 EET 2015

So Bob told me:

- Don't use merge to update the database. Just call certutil (-x ?).
   Anything that openes the db in readwrite will cause the update
   (you need to run it twice due to the merge of different locations/db)
   This assumes we keep our nss db in /etc/ipsec.d, which I think is
   where we should leave the new db

- All db's opened are within the same trust domain, so a helper opening
   another db does not actually contain any CAs to that db. So we don't
   gain anything by using a separate db in /var/lib/ipsec.

- Use the pkix interface instead of the generic one for certificate
   validation, and you can give it the CA to use and other CAs won't
   get picked up.

- no easy way to store crl/ocsp "separately" so for now I think we
   should just stick to being okay to lose it over restarts. We _could_
   think of loading /etc/ipsec.d/crls/* into the "cached db" overlay
   to keep that functionality (I think it is common to use a file and
   scp, not a URI, for smaller deployments)


More information about the Swan-dev mailing list