certutil: How do I return the nickname of the "best" certificate in the NSS certificate database?

8 views
Skip to first unread message

Graham Leggett

unread,
Sep 13, 2020, 6:00:21 PM9/13/20
to dev-tec...@lists.mozilla.org
Hi all,

In a script, I need to know what the “best” certificate is in the NSS database for a given host.

The “best” certificate is
- A valid certificate by all the usual definitions of valid; and
- Matches the hostname provided either by using the subject or the subjectAltName (with optional wildcards); and
- (to break ties) Has the longest validity.

From what I can see certutil can’t do this. Is there an alternative tool I should be using?

If no tool exists, is there a corresponding API call in the NSS API that will return a certificate (or certificates) as per the definition above? If so I can put together a patch.

Regards,
Graham


J.C. Jones

unread,
Sep 14, 2020, 1:14:26 PM9/14/20
to mozilla-dev...@lists.mozilla.org
Hi Graham,

As you saw, there's no good mechanism for this via certutil. Honestly, the logic for the legacy verifier that would accomplish this is somewhat lacking, as well.

There's a meta-bug for someday reworking the tools to use mozilla::pkix, which would accomplish what you're looking for, Bug 1648172. The significant lift here though would be reworking the relevant tool to compile in C++, needed for mozilla::pkix.

If you're interested in contributing that rework, we'd love to work with you on it. But nevertheless, mozilla::pkix. in the lib/mozpkix dir, is the right way to approach this problem.

Cheers,
J.C.

Reply all
Reply to author
Forward
0 new messages