2.2.6. NSS Shared Databases

The NSS shared database format, introduced on NSS 3.12, is now available in Red Hat Enterprise Linux 6. This encompasses a number of new features and components to improve access and usability.
Included, is the NSS certificate and key database which are now sqlite-based and allow for concurrent access. The legacy key3.db and cert8.db are also replaced with new SQL databases called key4.db and cert9.db. These new databases will store PKCS #11 token objects, which are the same as what is currently stored in cert8.db and key3.db.
Having support for shared databases enables a system-wide NSS database. It resides in /etc/pki/nssdb where globally trusted CA certificates become accessible to all applications. The command rv = NSS_InitReadWrite("sql:/etc/pki/nssdb"); initializes NSS for applications. If the application is run with root privileges, then the system-wide database is available on a read and write basis. However, if it is run with normal user privileges it becomes read only.
Additionally, a PEM PKCS #11 module for NSS allows applications to load into memory certificates and keys stored in PEM-formatted files (for example, those produced by openssl). Backwards Compatibility

The binary compatibility guarantees made by NSS upstream are preserved in NSS for Red Hat Enterprise Linux 6. This guarantee states that NSS used in Red Hat Enterprise Linux 6 is backwards compatible with all older NSS 3.x shared libraries. Therefore, a program linked with an older NSS 3.x shared library will work without recompiling or relinking, and any applications that restrict the use of NSS APIs to the NSS Public Functions remain compatible with future versions of the NSS shared libraries.