libnss replacement

Andrej Valek andrej.valek at
Thu Jun 6 10:06:45 UTC 2019

Thank you for the clarification.

I have moved forward a little bit. I have made a decision, that using
only one database makes sense.

Currently I am using trust (from p11-kit) to add new certificate into
NSS database. A /usr/lib/ ->
/usr/lib/pkcs11/ is making a background accessing for my
application (p11-kit   = /etc/ssl/certs/ca-certificates.crt). But system
ca-certificates are still required for other applications, which are
using openssl directly.

I want to create only one NSS-base database for the whole system and get
rid of /etc/ssl/certs (if it's possible). I want to fill this nss
database with system ca-certificates during build-time. This database
should be accessible with all applications including openssl.

Is it possible to remove /etc/ssl/certs and replace them lets say with
libp11 ( Correct me If I am wrong, but
openssl -> libp11 (pkcs#11) -> p11-kit-trust (p11-kit) -> NSS database
(including system certificates) could make this.

Is it possible to do this? If yes, how?

Thank you,

On 5/28/19 2:29 AM, Ryan Sleevi wrote:
> On Fri, May 24, 2019 at 7:09 AM Valek, Andrej <andrej.valek at>
> wrote:
>> Hello Everyone!
>> I have found your nice project, which could solves my problems.
>> I am trying to get rid of the libnss due to some problems.
>> My application is QtWebengine + chromium based. Previously SSL
>> certificates have been handled by openssl. Chromium read ca-certificates
>> from /etc/ssl/certs, but from QT version 5.12.3 they have switched to used
>> nss. When the application starts, it loads certificates from ~/.pki/nssdb .
>> Application is still using the old certificates, even if I upload the new
>> certificate and the nssdb is updated via certutil from ca-certificate
>> update hook. Application just reads nssdb during starting. After
>> application restarting, it re-loaded the library and worked. But this case
>> is unwanted.
> Since you mentioned Chromium and libnss - this isn't something p11-kit can
> help with. While you're not using nssckbi anymore, you're still using
> libnss for all of the certificate verification and operations, and libnss
> (and the mozilla::pkix APIs that Chromium-based distributions use from
> libnss) has a host of internal caches. Additionally, Chromium itself has a
> host of internal caches, and officially, does not support your use case.
> If you'd like to resolve this, you'd need to switch to using something
> not-Chromium-based, not-libnss-based (although Chromium using the other
> backends similarly makes no guarantee of immediate visibility of changes
> absent process restarts), or maintain patches for or on top of QtWebEngine.
> In any event, those are probably easily answered on a Chromium bug, with
> the knowledge it may be WontFixed, but at least provide more thorough
> answers if you have follow-up questions.
> Hope that helps!
> /Chromium maintainer of that code, who happens to lurk here.

More information about the p11-glue mailing list