libnss replacement

Valek, Andrej andrej.valek at
Fri May 24 10:53:46 UTC 2019

Hello Everyone!

I have found your nice project, which could solves my problems.

I am trying to get rid of the libnss due to some problems.
My application is QtWebengine + chromium based. Previously SSL certificates have been handled by openssl. Chromium read ca-certificates from /etc/ssl/certs, but from QT version 5.12.3 they have switched to used nss. When the application starts, it loads certificates from ~/.pki/nssdb . Application is still using the old certificates, even if I upload the new certificate and the nssdb is updated via certutil from ca-certificate update hook. Application just reads nssdb during starting. After application restarting, it re-loaded the library and worked. But this case is unwanted.

I was trying to use your p11-kit a replacement to be able to update certificates during application running.
So I have replaced libnss (/usr/lib/ -> /usr/lib/pkcs11/ with your library. Started my application and import new certificate via "trust anchor --store /var/lib/xxx.pem". But application still couldn't verified the page. Same behavior as before, after restarts, application was working.

So is it possible to use your SW for my runtime use-cases? If yes, how I can do that?

Many thanks,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the p11-glue mailing list