From 9ad0b80e3aa9a27debed76c5c3749c296c4f4a2a Mon Sep 17 00:00:00 2001 From: "wtc%netscape.com" Date: Mon, 2 Jun 2003 23:16:51 +0000 Subject: [PATCH] Bug 207379: added instructions for removing a builtin root CA cert from NSS. --- security/nss/lib/ckfw/builtins/README | 28 +++++++++++++++++++++++---- 1 file changed, 24 insertions(+), 4 deletions(-) diff --git a/security/nss/lib/ckfw/builtins/README b/security/nss/lib/ckfw/builtins/README index 1533420bd806..16529badb930 100644 --- a/security/nss/lib/ckfw/builtins/README +++ b/security/nss/lib/ckfw/builtins/README @@ -1,8 +1,13 @@ -This README file explains how to add a builtin root CA certificate to NSS. +This README file explains how to add a builtin root CA certificate to NSS +or remove a builtin root CA certificate from NSS. + The builtin root CA certificates in NSS are stored in the nssckbi PKCS #11 -module. The sources to the nssckbi module are in this directory. You need -to use the addbuiltin command-line tool to add a root CA certificate to -the nssckbi module. In the procedure described below, we assume that the +module. The sources to the nssckbi module are in this directory. + +I. Adding a Builtin Root CA Certificate + +You need to use the addbuiltin command-line tool to add a root CA certificate +to the nssckbi module. In the procedure described below, we assume that the new root CA certificate is distributed in DER format in the file newroot.der. 1. Build addbuiltin by doing gmake in mozilla/security/nss/cmd/addbuiltin. @@ -29,3 +34,18 @@ certificate. Then run "gmake generate". 7. After you verify that the new nssckbi module is correct, check in certdata.txt, certdata.c, and nssckbi.h. + +II. Removing a Builtin Root CA Certificate + +1. Change directory to this directory. + +2. Edit certdata.txt and remove the root CA certificate. + +3. Run "gmake generate". + +4. Edit nssckbi.h to bump the version of the module. + +5. Run gmake in this directory to build the nssckbi module. + +6. After you verify that the new nssckbi module is correct, check in +certdata.txt, certdata.c, and nssckbi.h.