14.5. Importing a certificate into an NSS Database

Ensure that your web service is taken offline (stopped, disabled, etc.) while performing these steps and ensure no concurrent access to the NSS database by other processes (such as a browser). Doing so may corrupt the NSS database or result in improper usage of these certificates.
Note that which set of instructions you follow will depend on the usage for the certificate in question.
  • For any subsystem's auditSigningCert, please follow the steps below for validating an object Signing certificate.
  • For the CA subsystem's caSigningCert, please follow the steps above for importing and validating an intermediate certificate chain, but do so only with the caSigningCert.
  • For the CA subsystem's ocspSigningCert, please follow the steps below for validating an OCSP certificate.
  • For user's client or S/MIME certificate, follow the Client Certificate steps.
For more information about the certutil and PKICertImport options used below, see Section 14.1, “About certutil and PKICertImport.

Importing a Client Certificate Into the NSS Database

To import a client certificate into the NSS database:
  1. Change into the NSS database directory. For example:
    # cd /path/to/nssdb/
  2. Import and trust the root certificate, if it is not already imported and trusted. For details, see Section 14.2, “Importing a Root Certificate”.
  3. Import and validate the intermediate certificates, if not already imported and validated. For details, see Section 14.3, “Importing an Intermediate Certificate Chain”.
  4. Validate and import the client certificate:
    # PKICertImport -d . -n "client name" -t ",," -a -i client.crt -u C
    The validation succeeds when no error message is printed and the return code is 0. To check the return code, execute echo $? immediately after executing the previous command above. In most cases, a visual error message is printed. If the validation does not succeed, contact the issuer and ensure that all intermediate and root certificates are present on your system.

Importing an Object Signing Certificate

To import an object signing certificate:
  1. Change into the NSS database directory. For example:
    # cd /path/to/nssdb/
  2. Import and trust the root certificate, if it is not already imported and trusted. For details, see Section 14.2, “Importing a Root Certificate”.
  3. Import and validate the intermediate certificates, if not already imported and validated. For details, see Section 14.3, “Importing an Intermediate Certificate Chain”.
  4. Validate and import the object signing certificate:
    # PKICertImport -d . -n "certificate name" -t ",,P" -a -i objectsigning.crt -u J
    The validation succeeds when no error message is printed and the return code is 0. To check the return code, execute echo $? immediately after executing the previous command above. In most cases, a visual error message is printed. If the validation does not succeed, contact the issuer and ensure that all intermediate and root certificates are present on your system.

Importing an OCSP Responder

To import an OCSP responder:
  1. Change into the NSS database directory. For example:
    # cd /path/to/nssdb/
  2. Import and trust the root certificate, if it is not already imported and trusted. For details, see Section 14.2, “Importing a Root Certificate”.
  3. Import and validate the intermediate certificates, if not already imported and validated. For details, see Section 14.3, “Importing an Intermediate Certificate Chain”.
  4. Validate and import the OCSP responder certificate:
    # PKICertImport -d . -n "certificate name" -t ",," -a -i ocsp.crt -u O
    The validation succeeds when no error message is printed and the return code is 0. To check the return code, execute echo $? immediately after executing the previous command above. In most cases, a visual error message is printed. If the validation does not succeed, contact the issuer and ensure that all intermediate and root certificates are present on your system.