certutil: How do I return the nickname of the "best" certificate in the NSS certificate database?

[Graham Leggett]

Hi all,

In a script, I need to know what the “best” certificate is in the NSS database for a given host.

The “best” certificate is
- A valid certificate by all the usual definitions of valid; and
- Matches the hostname provided either by using the subject or the subjectAltName (with optional wildcards); and
- (to break ties) Has the longest validity.

From what I can see certutil can’t do this. Is there an alternative tool I should be using?

If no tool exists, is there a corresponding API call in the NSS API that will return a certificate (or certificates) as per the definition above? If so I can put together a patch.

Regards,
Graham
—

[J.C. Jones]

Hi Graham,

As you saw, there's no good mechanism for this via certutil. Honestly, the logic for the legacy verifier that would accomplish this is somewhat lacking, as well.

There's a meta-bug for someday reworking the tools to use mozilla::pkix, which would accomplish what you're looking for, Bug 1648172. The significant lift here though would be reworking the relevant tool to compile in C++, needed for mozilla::pkix.

If you're interested in contributing that rework, we'd love to work with you on it. But nevertheless, mozilla::pkix. in the lib/mozpkix dir, is the right way to approach this problem.

Cheers,
J.C.