-
NSS uses a certificate database that is empty by default and not updated automatically when new CAs are added in /etc/ssl/certs. So we are forced to recreate the database from scratch and since it takes about 1 minute, due to "certutil" command being slow, we can't do it everytime. By implementing an update operation that only adds new certificates and removes obsolete ones, we run certutil much less, so the update is significantly faster. In order to detect changes to certificates, and because NSS databases and PEM data are very shitty to introspect, we will base ourselves mostly on NSS cert "nicknames". As /etc/ssl/certs contains a lot of duplicates, we will rely on PEM data hashing instead instead of filenames to detect different certificates, and they will be the nicknames. Simplified, an update operation goes like this: - list all db cert hashes (the nicknames) - hash all system certs - add in db all system certs for which the nickname was missing - remove from db the nicknames if the hash wasn't in system list For migrating to new nicknames format, basically we will have to purge the db and recreate it.
c036f657