[Swan-dev] NSS update
Paul Wouters
paul at nohats.ca
Wed Mar 4 20:28:34 EET 2015
So Bob told me:
- Don't use merge to update the database. Just call certutil (-x ?).
Anything that openes the db in readwrite will cause the update
(you need to run it twice due to the merge of different locations/db)
This assumes we keep our nss db in /etc/ipsec.d, which I think is
where we should leave the new db
- All db's opened are within the same trust domain, so a helper opening
another db does not actually contain any CAs to that db. So we don't
gain anything by using a separate db in /var/lib/ipsec.
- Use the pkix interface instead of the generic one for certificate
validation, and you can give it the CA to use and other CAs won't
get picked up.
- no easy way to store crl/ocsp "separately" so for now I think we
should just stick to being okay to lose it over restarts. We _could_
think of loading /etc/ipsec.d/crls/* into the "cached db" overlay
to keep that functionality (I think it is common to use a file and
scp, not a URI, for smaller deployments)
Paul
More information about the Swan-dev
mailing list