1MODUTIL(1) NSS Security Tools MODUTIL(1)
2
6 modutil - Manage PKCS #11 module information within the security module
7 database.
8
10 modutil [options] [[arguments]]
11
13 This documentation is still work in progress. Please contribute to the
14 initial review in Mozilla NSS bug 836477[1]
15
17 The Security Module Database Tool, modutil, is a command-line utility
18 for managing PKCS #11 module information both within secmod.db files
19 and within hardware tokens. modutil can add and delete PKCS #11
20 modules, change passwords on security databases, set defaults, list
21 module contents, enable or disable slots, enable or disable FIPS 140-2
22 compliance, and assign default providers for cryptographic operations.
23 This tool can also create certificate, key, and module security
24 database files.
25 The tasks associated with security module database management are part
27 of a process that typically also involves managing key databases and
28 certificate databases.
29
31 Running modutil always requires one (and only one) option to specify
32 the type of module operation. Each option may take arguments, anywhere
33 from none to multiple arguments.
34 Options
36 -add modulename
38 Add the named PKCS #11 module to the database. Use this option with
39 the -libfile, -ciphers, and -mechanisms arguments.
40 -changepw tokenname
42 Change the password on the named token. If the token has not been
43 initialized, this option initializes the password. Use this option
44 with the -pwfile and -newpwfile arguments. A password is equivalent
45 to a personal identification number (PIN).
46 -chkfips
48 Verify whether the module is in the given FIPS mode. true means to
49 verify that the module is in FIPS mode, while false means to verify
50 that the module is not in FIPS mode.
51 -create
53 Create new certificate, key, and module databases. Use the -dbdir
54 directory argument to specify a directory. If any of these
55 databases already exist in a specified directory, modutil returns
56 an error message.
57 -default modulename
59 Specify the security mechanisms for which the named module will be
60 a default provider. The security mechanisms are specified with the
61 -mechanisms argument.
62 -delete modulename
64 Delete the named module. The default NSS PKCS #11 module cannot be
65 deleted.
66 -disable modulename
68 Disable all slots on the named module. Use the -slot argument to
69 disable a specific slot.
70 The internal NSS PKCS #11 module cannot be disabled.
72 -enable modulename
74 Enable all slots on the named module. Use the -slot argument to
75 enable a specific slot.
76 -fips [true | false]
78 Enable (true) or disable (false) FIPS 140-2 compliance for the
79 default NSS module.
80 -force
82 Disable modutil's interactive prompts so it can be run from a
83 script. Use this option only after manually testing each planned
84 operation to check for warnings and to ensure that bypassing the
85 prompts will cause no security lapses or loss of database
86 integrity.
87 -jar JAR-file
89 Add a new PKCS #11 module to the database using the named JAR file.
90 Use this command with the -installdir and -tempdir arguments. The
91 JAR file uses the NSS PKCS #11 JAR format to identify all the files
92 to be installed, the module's name, the mechanism flags, and the
93 cipher flags, as well as any files to be installed on the target
94 machine, including the PKCS #11 module library file and other files
95 such as documentation. This is covered in the JAR installation file
96 section in the man page, which details the special script needed to
97 perform an installation through a server or with modutil.
98 -list [modulename]
100 Display basic information about the contents of the secmod.db file.
101 Specifying a modulename displays detailed information about a
102 particular module and its slots and tokens.
103 -rawadd
105 Add the module spec string to the secmod.db database.
106 -rawlist
108 Display the module specs for a specified module or for all loadable
109 modules.
110 -undefault modulename
112 Specify the security mechanisms for which the named module will not
113 be a default provider. The security mechanisms are specified with
114 the -mechanisms argument.
115 Arguments
117 MODULE
119 Give the security module to access.
120 MODULESPEC
122 Give the security module spec to load into the security database.
123 -ciphers cipher-enable-list
125 Enable specific ciphers in a module that is being added to the
126 database. The cipher-enable-list is a colon-delimited list of
127 cipher names. Enclose this list in quotation marks if it contains
128 spaces.
129 -dbdir directory
131 Specify the database directory in which to access or create
132 security module database files.
133 modutil supports SQLite databases (cert9.db, key4.db, and
135 pkcs11.txt).
136 --dbprefix prefix
138 Specify the prefix used on the database files, such as my_ for
139 my_cert9.db. This option is provided as a special case. Changing
140 the names of the certificate and key databases is not recommended.
141 -installdir root-installation-directory
143 Specify the root installation directory relative to which files
144 will be installed by the -jar option. This directory should be one
145 below which it is appropriate to store dynamic library files, such
146 as a server's root directory.
147 -libfile library-file
149 Specify a path to a library file containing the implementation of
150 the PKCS #11 interface module that is being added to the database.
151 -mechanisms mechanism-list
153 Specify the security mechanisms for which a particular module will
154 be flagged as a default provider. The mechanism-list is a
155 colon-delimited list of mechanism names. Enclose this list in
156 quotation marks if it contains spaces.
157 The module becomes a default provider for the listed mechanisms
159 when those mechanisms are enabled. If more than one module claims
160 to be a particular mechanism's default provider, that mechanism's
161 default provider is undefined.
162 modutil supports several mechanisms: RSA, DSA, RC2, RC4, RC5, AES,
164 DES, DH, SHA1, SHA256, SHA512, SSL, TLS, MD5, MD2, RANDOM (for
165 random number generation), and FRIENDLY (meaning certificates are
166 publicly readable).
167 -newpwfile new-password-file
169 Specify a text file containing a token's new or replacement
170 password so that a password can be entered automatically with the
171 -changepw option.
172 -nocertdb
174 Do not open the certificate or key databases. This has several
175 effects:
176 • With the -create command, only a module security file is
178 created; certificate and key databases are not created.
179 • With the -jar command, signatures on the JAR file are not
181 checked.
182 • With the -changepw command, the password on the NSS internal
184 module cannot be set or changed, since this password is stored
185 in the key database.
186 -pwfile old-password-file
188 Specify a text file containing a token's existing password so that
189 a password can be entered automatically when the -changepw option
190 is used to change passwords.
191 -secmod secmodname
193 Give the name of the security module database (like secmod.db) to
194 load.
195 -slot slotname
197 Specify a particular slot to be enabled or disabled with the
198 -enable or -disable options.
199 -string CONFIG_STRING
201 Pass a configuration string for the module being added to the
202 database.
203 -tempdir temporary-directory
205 Give a directory location where temporary files are created during
206 the installation by the -jar option. If no temporary directory is
207 specified, the current directory is used.
208
210 Creating Database Files
211 Before any operations can be performed, there must be a set of security
213 databases available. modutil can be used to create these files. The
214 only required argument is the database that where the databases will be
215 located.
216 modutil -create -dbdir directory
218 Adding a Cryptographic Module
220 Adding a PKCS #11 module means submitting a supporting library file,
222 enabling its ciphers, and setting default provider status for various
223 security mechanisms. This can be done by supplying all of the
224 information through modutil directly or by running a JAR file and
225 install script. For the most basic case, simply upload the library:
226 modutil -add modulename -libfile library-file [-ciphers cipher-enable-list] [-mechanisms mechanism-list]
228 For example:
230 modutil -dbdir /home/my/sharednssdb -add "Example PKCS #11 Module" -libfile "/tmp/crypto.so" -mechanisms RSA:DSA:RC2:RANDOM
232 Using database directory ...
234 Module "Example PKCS #11 Module" added to database.
235 Installing a Cryptographic Module from a JAR File
237 PKCS #11 modules can also be loaded using a JAR file, which contains
239 all of the required libraries and an installation script that describes
240 how to install the module. The JAR install script is described in more
241 detail in the section called “JAR INSTALLATION FILE FORMAT”.
242 The JAR installation script defines the setup information for each
244 platform that the module can be installed on. For example:
245 Platforms {
247 Linux:5.4.08:x86 {
248 ModuleName { "Example PKCS #11 Module" }
249 ModuleFile { crypto.so }
250 DefaultMechanismFlags{0x0000}
251 CipherEnableFlags{0x0000}
252 Files {
253 crypto.so {
254 Path{ /tmp/crypto.so }
255 }
256 setup.sh {
257 Executable
258 Path{ /tmp/setup.sh }
259 }
260 }
261 }
262 Linux:6.0.0:x86 {
263 EquivalentPlatform { Linux:5.4.08:x86 }
264 }
265 }
266 Both the install script and the required libraries must be bundled in a
268 JAR file, which is specified with the -jar argument.
269 modutil -dbdir /home/mt"jar-install-filey/sharednssdb -jar install.jar -installdir /home/my/sharednssdb
271 This installation JAR file was signed by:
273 ----------------------------------------------
274 **SUBJECT NAME**
276 C=US, ST=California, L=Mountain View, CN=Cryptorific Inc., OU=Digital ID
278 Class 3 - Netscape Object Signing, OU="www.verisign.com/repository/CPS
279 Incorp. by Ref.,LIAB.LTD(c)9 6", OU=www.verisign.com/CPS Incorp.by Ref
280 . LIABILITY LTD.(c)97 VeriSign, OU=VeriSign Object Signing CA - Class 3
281 Organization, OU="VeriSign, Inc.", O=VeriSign Trust Network **ISSUER
282 NAME**, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97
283 VeriSign, OU=VeriSign Object Signing CA - Class 3 Organization,
284 OU="VeriSign, Inc.", O=VeriSign Trust Network
285 ----------------------------------------------
286 Do you wish to continue this installation? (y/n) y
288 Using installer script "installer_script"
289 Successfully parsed installation script
290 Current platform is Linux:5.4.08:x86
291 Using installation parameters for platform Linux:5.4.08:x86
292 Installed file crypto.so to /tmp/crypto.so
293 Installed file setup.sh to ./pk11inst.dir/setup.sh
294 Executing "./pk11inst.dir/setup.sh"...
295 "./pk11inst.dir/setup.sh" executed successfully
296 Installed module "Example PKCS #11 Module" into module database
297 Installation completed successfully
299 Adding Module Spec
301 Each module has information stored in the security database about its
303 configuration and parameters. These can be added or edited using the
304 -rawadd command. For the current settings or to see the format of the
305 module spec in the database, use the -rawlist option.
306 modutil -rawadd modulespec
308 Deleting a Module
310 A specific PKCS #11 module can be deleted from the secmod.db database:
312 modutil -delete modulename -dbdir directory
314 Displaying Module Information
316 The secmod.db database contains information about the PKCS #11 modules
318 that are available to an application or server to use. The list of all
319 modules, information about specific modules, and database configuration
320 specs for modules can all be viewed.
321 To simply get a list of modules in the database, use the -list command.
323 modutil -list [modulename] -dbdir directory
325 Listing the modules shows the module name, their status, and other
327 associated security databases for certificates and keys. For example:
328 modutil -list -dbdir /home/my/sharednssdb
330 Listing of PKCS #11 Modules
332 -----------------------------------------------------------
333 1. NSS Internal PKCS #11 Module
334 slots: 2 slots attached
335 status: loaded
336 slot: NSS Internal Cryptographic Services
338 token: NSS Generic Crypto Services
339 uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
340 slot: NSS User Private Key and Certificate Services
342 token: NSS Certificate DB
343 uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
344 -----------------------------------------------------------
345 Passing a specific module name with the -list returns details
347 information about the module itself, like supported cipher mechanisms,
348 version numbers, serial numbers, and other information about the module
349 and the token it is loaded on. For example:
350 modutil -list "NSS Internal PKCS #11 Module" -dbdir /home/my/sharednssdb
352 -----------------------------------------------------------
354 Name: NSS Internal PKCS #11 Module
355 Library file: **Internal ONLY module**
356 Manufacturer: Mozilla Foundation
357 Description: NSS Internal Crypto Services
358 PKCS #11 Version 2.20
359 Library Version: 3.11
360 Cipher Enable Flags: None
361 Default Mechanism Flags: RSA:RC2:RC4:DES:DH:SHA1:MD5:MD2:SSL:TLS:AES
362 Slot: NSS Internal Cryptographic Services
364 Slot Mechanism Flags: RSA:RC2:RC4:DES:DH:SHA1:MD5:MD2:SSL:TLS:AES
365 Manufacturer: Mozilla Foundation
366 Type: Software
367 Version Number: 3.11
368 Firmware Version: 0.0
369 Status: Enabled
370 Token Name: NSS Generic Crypto Services
371 Token Manufacturer: Mozilla Foundation
372 Token Model: NSS 3
373 Token Serial Number: 0000000000000000
374 Token Version: 4.0
375 Token Firmware Version: 0.0
376 Access: Write Protected
377 Login Type: Public (no login required)
378 User Pin: NOT Initialized
379 Slot: NSS User Private Key and Certificate Services
381 Slot Mechanism Flags: None
382 Manufacturer: Mozilla Foundation
383 Type: Software
384 Version Number: 3.11
385 Firmware Version: 0.0
386 Status: Enabled
387 Token Name: NSS Certificate DB
388 Token Manufacturer: Mozilla Foundation
389 Token Model: NSS 3
390 Token Serial Number: 0000000000000000
391 Token Version: 8.3
392 Token Firmware Version: 0.0
393 Access: NOT Write Protected
394 Login Type: Login required
395 User Pin: Initialized
396 A related command, -rawlist returns information about the database
398 configuration for the modules. (This information can be edited by
399 loading new specs using the -rawadd command.)
400 modutil -rawlist -dbdir /home/my/sharednssdb
402 name="NSS Internal PKCS #11 Module" parameters="configdir=. certPrefix= keyPrefix= secmod=secmod.db flags=readOnly " NSS="trustOrder=75 cipherOrder=100 slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM askpw=any timeout=30 ] } Flags=internal,critical"
403 Setting a Default Provider for Security Mechanisms
405 Multiple security modules may provide support for the same security
407 mechanisms. It is possible to set a specific security module as the
408 default provider for a specific security mechanism (or, conversely, to
409 prohibit a provider from supplying those mechanisms).
410 modutil -default modulename -mechanisms mechanism-list
412 To set a module as the default provider for mechanisms, use the
414 -default command with a colon-separated list of mechanisms. The
415 available mechanisms depend on the module; NSS supplies almost all
416 common mechanisms. For example:
417 modutil -default "NSS Internal PKCS #11 Module" -dbdir -mechanisms RSA:DSA:RC2
419 Using database directory c:\databases...
421 Successfully changed defaults.
423 Clearing the default provider has the same format:
425 modutil -undefault "NSS Internal PKCS #11 Module" -dbdir -mechanisms MD2:MD5
427 Enabling and Disabling Modules and Slots
429 Modules, and specific slots on modules, can be selectively enabled or
431 disabled using modutil. Both commands have the same format:
432 modutil -enable|-disable modulename [-slot slotname]
434 For example:
436 modutil -enable "NSS Internal PKCS #11 Module" -slot "NSS Internal Cryptographic Services " -dbdir .
438 Slot "NSS Internal Cryptographic Services " enabled.
440 Be sure that the appropriate amount of trailing whitespace is after the
442 slot name. Some slot names have a significant amount of whitespace that
443 must be included, or the operation will fail.
444 Enabling and Verifying FIPS Compliance
446 The NSS modules can have FIPS 140-2 compliance enabled or disabled
448 using modutil with the -fips option. For example:
449 modutil -fips true -dbdir /home/my/sharednssdb/
451 FIPS mode enabled.
453 To verify that status of FIPS mode, run the -chkfips command with
455 either a true or false flag (it doesn't matter which). The tool returns
456 the current FIPS setting.
457 modutil -chkfips false -dbdir /home/my/sharednssdb/
459 FIPS mode enabled.
461 Changing the Password on a Token
463 Initializing or changing a token's password:
465 modutil -changepw tokenname [-pwfile old-password-file] [-newpwfile new-password-file]
467 modutil -dbdir /home/my/sharednssdb -changepw "NSS Certificate DB"
469 Enter old password:
471 Incorrect password, try again...
472 Enter old password:
473 Enter new password:
474 Re-enter new password:
475 Token "Communicator Certificate DB" password changed successfully.
476
478 When a JAR file is run by a server, by modutil, or by any program that
479 does not interpret JavaScript, a special information file must be
480 included to install the libraries. There are several things to keep in
481 mind with this file:
482 • It must be declared in the JAR archive's manifest file.
484 • The script can have any name.
486 • The metainfo tag for this is Pkcs11_install_script. To declare
488 meta-information in the manifest file, put it in a file that is
489 passed to signtool.
490 Sample Script
492 For example, the PKCS #11 installer script could be in the file
494 pk11install. If so, the metainfo file for signtool includes a line such
495 as this:
496 + Pkcs11_install_script: pk11install
498 The script must define the platform and version number, the module name
500 and file, and any optional information like supported ciphers and
501 mechanisms. Multiple platforms can be defined in a single install file.
502 ForwardCompatible { IRIX:6.2:mips SUNOS:5.5.1:sparc }
504 Platforms {
505 WINNT::x86 {
506 ModuleName { "Example Module" }
507 ModuleFile { win32/fort32.dll }
508 DefaultMechanismFlags{0x0001}
509 DefaultCipherFlags{0x0001}
510 Files {
511 win32/setup.exe {
512 Executable
513 RelativePath { %temp%/setup.exe }
514 }
515 win32/setup.hlp {
516 RelativePath { %temp%/setup.hlp }
517 }
518 win32/setup.cab {
519 RelativePath { %temp%/setup.cab }
520 }
521 }
522 }
523 WIN95::x86 {
524 EquivalentPlatform {WINNT::x86}
525 }
526 SUNOS:5.5.1:sparc {
527 ModuleName { "Example UNIX Module" }
528 ModuleFile { unix/fort.so }
529 DefaultMechanismFlags{0x0001}
530 CipherEnableFlags{0x0001}
531 Files {
532 unix/fort.so {
533 RelativePath{%root%/lib/fort.so}
534 AbsolutePath{/usr/local/netscape/lib/fort.so}
535 FilePermissions{555}
536 }
537 xplat/instr.html {
538 RelativePath{%root%/docs/inst.html}
539 AbsolutePath{/usr/local/netscape/docs/inst.html}
540 FilePermissions{555}
541 }
542 }
543 }
544 IRIX:6.2:mips {
545 EquivalentPlatform { SUNOS:5.5.1:sparc }
546 }
547 }
548 Script Grammar
550 The script is basic Java, allowing lists, key-value pairs, strings, and
552 combinations of all of them.
553 --> valuelist
555 valuelist --> value valuelist
557 <null>
558 value ---> key_value_pair
560 string
561 key_value_pair --> key { valuelist }
563 key --> string
565 string --> simple_string
567 "complex_string"
568 simple_string --> [^ \t\n\""{""}"]+
570 complex_string --> ([^\"\\\r\n]|(\\\")|(\\\\))+
572 Quotes and backslashes must be escaped with a backslash. A complex
574 string must not include newlines or carriage returns.Outside of complex
575 strings, all white space (for example, spaces, tabs, and carriage
576 returns) is considered equal and is used only to delimit tokens.
577 Keys
579 The Java install file uses keys to define the platform and module
581 information.
582 ForwardCompatible gives a list of platforms that are forward
584 compatible. If the current platform cannot be found in the list of
585 supported platforms, then the ForwardCompatible list is checked for any
586 platforms that have the same OS and architecture in an earlier version.
587 If one is found, its attributes are used for the current platform.
588 Platforms (required) Gives a list of platforms. Each entry in the list
590 is itself a key-value pair: the key is the name of the platform and the
591 value list contains various attributes of the platform. The platform
592 string is in the format system name:OS release:architecture. The
593 installer obtains these values from NSPR. OS release is an empty string
594 on non-Unix operating systems. NSPR supports these platforms:
595 • AIX (rs6000)
597 • BSDI (x86)
599 • FREEBSD (x86)
601 • HPUX (hppa1.1)
603 • IRIX (mips)
605 • LINUX (ppc, alpha, x86)
607 • MacOS (PowerPC)
609 • NCR (x86)
611 • NEC (mips)
613 • OS2 (x86)
615 • OSF (alpha)
617 • ReliantUNIX (mips)
619 • SCO (x86)
621 • SOLARIS (sparc)
623 • SONY (mips)
625 • SUNOS (sparc)
627 • UnixWare (x86)
629 • WIN16 (x86)
631 • WIN95 (x86)
633 • WINNT (x86)
635 For example:
637 IRIX:6.2:mips
639 SUNOS:5.5.1:sparc
640 Linux:2.0.32:x86
641 WIN95::x86
642 The module information is defined independently for each platform in
644 the ModuleName, ModuleFile, and Files attributes. These attributes must
645 be given unless an EquivalentPlatform attribute is specified.
646 Per-Platform Keys
648 Per-platform keys have meaning only within the value list of an entry
650 in the Platforms list.
651 ModuleName (required) gives the common name for the module. This name
653 is used to reference the module by servers and by the modutil tool.
654 ModuleFile (required) names the PKCS #11 module file for this platform.
656 The name is given as the relative path of the file within the JAR
657 archive.
658 Files (required) lists the files that need to be installed for this
660 module. Each entry in the file list is a key-value pair. The key is the
661 path of the file in the JAR archive, and the value list contains
662 attributes of the file. At least RelativePath or AbsolutePath must be
663 specified for each file.
664 DefaultMechanismFlags specifies mechanisms for which this module is the
666 default provider; this is equivalent to the -mechanism option with the
667 -add command. This key-value pair is a bitstring specified in
668 hexadecimal (0x) format. It is constructed as a bitwise OR. If the
669 DefaultMechanismFlags entry is omitted, the value defaults to 0x0.
670 RSA: 0x00000001
672 DSA: 0x00000002
673 RC2: 0x00000004
674 RC4: 0x00000008
675 DES: 0x00000010
676 DH: 0x00000020
677 FORTEZZA: 0x00000040
678 RC5: 0x00000080
679 SHA1: 0x00000100
680 MD5: 0x00000200
681 MD2: 0x00000400
682 RANDOM: 0x08000000
683 FRIENDLY: 0x10000000
684 OWN_PW_DEFAULTS: 0x20000000
685 DISABLE: 0x40000000
686 CipherEnableFlags specifies ciphers that this module provides that NSS
688 does not provide (so that the module enables those ciphers for NSS).
689 This is equivalent to the -cipher argument with the -add command. This
690 key is a bitstring specified in hexadecimal (0x) format. It is
691 constructed as a bitwise OR. If the CipherEnableFlags entry is omitted,
692 the value defaults to 0x0.
693 EquivalentPlatform specifies that the attributes of the named platform
695 should also be used for the current platform. This makes it easier when
696 more than one platform uses the same settings.
697 Per-File Keys
699 Some keys have meaning only within the value list of an entry in a
701 Files list.
702 Each file requires a path key the identifies where the file is. Either
704 RelativePath or AbsolutePath must be specified. If both are specified,
705 the relative path is tried first, and the absolute path is used only if
706 no relative root directory is provided by the installer program.
707 RelativePath specifies the destination directory of the file, relative
709 to some directory decided at install time. Two variables can be used in
710 the relative path: %root% and %temp%. %root% is replaced at run time
711 with the directory relative to which files should be installed; for
712 example, it may be the server's root directory. The %temp% directory is
713 created at the beginning of the installation and destroyed at the end.
714 The purpose of %temp% is to hold executable files (such as setup
715 programs) or files that are used by these programs. Files destined for
716 the temporary directory are guaranteed to be in place before any
717 executable file is run; they are not deleted until all executable files
718 have finished.
719 AbsolutePath specifies the destination directory of the file as an
721 absolute path.
722 Executable specifies that the file is to be executed during the course
724 of the installation. Typically, this string is used for a setup program
725 provided by a module vendor, such as a self-extracting setup
726 executable. More than one file can be specified as executable, in which
727 case the files are run in the order in which they are specified in the
728 script file.
729 FilePermissions sets permissions on any referenced files in a string of
731 octal digits, according to the standard Unix format. This string is a
732 bitwise OR.
733 user read: 0400
735 user write: 0200
736 user execute: 0100
737 group read: 0040
738 group write: 0020
739 group execute: 0010
740 other read: 0004
741 other write: 0002
742 other execute: 0001
743 Some platforms may not understand these permissions. They are applied
745 only insofar as they make sense for the current platform. If this
746 attribute is omitted, a default of 777 is assumed.
747
749 NSS originally used BerkeleyDB databases to store security information.
750 The last versions of these legacy databases are:
751 • cert8.db for certificates
753 • key3.db for keys
755 • secmod.db for PKCS #11 module information
757 BerkeleyDB has performance limitations, though, which prevent it from
759 being easily used by multiple applications simultaneously. NSS has some
760 flexibility that allows applications to use their own, independent
761 database engine while keeping a shared database and working around the
762 access issues. Still, NSS requires more flexibility to provide a truly
763 shared security database.
764 In 2009, NSS introduced a new set of databases that are SQLite
766 databases rather than BerkleyDB. These new databases provide more
767 accessibility and performance:
768 • cert9.db for certificates
770 • key4.db for keys
772 • pkcs11.txt, which is listing of all of the PKCS #11 modules
774 contained in a new subdirectory in the security databases directory
775 Because the SQLite databases are designed to be shared, these are the
777 shared database type. The shared database type is preferred; the legacy
778 format is included for backward compatibility.
779 By default, the tools (certutil, pk12util, modutil) assume that the
781 given security databases use the SQLite type.
782 • https://wiki.mozilla.org/NSS_Shared_DB_Howto
784 For an engineering draft on the changes in the shared NSS databases,
786 see the NSS project wiki:
787 • https://wiki.mozilla.org/NSS_Shared_DB
789
791 certutil (1)
792 pk12util (1)
794 signtool (1)
796 The NSS wiki has information on the new database design and how to
798 configure applications to use it.
799 • https://wiki.mozilla.org/NSS_Shared_DB_Howto
801 • https://wiki.mozilla.org/NSS_Shared_DB
803
805 For information about NSS and other tools related to NSS (like JSS),
806 check out the NSS project wiki at
807 http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates
808 directly to NSS code changes and releases.
809 Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto
811 IRC: Freenode at #dogtag-pki
813
815 The NSS tools were written and maintained by developers with Netscape,
816 Red Hat, Sun, Oracle, Mozilla, and Google.
817 Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey
819 <dlackey@redhat.com>.
820
822 Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL
823 was not distributed with this file, You can obtain one at
824 http://mozilla.org/MPL/2.0/.
825
827 1. Mozilla NSS bug 836477
828 https://bugzilla.mozilla.org/show_bug.cgi?id=836477
829nss-tools 26 October 2023 MODUTIL(1)