1.. _mozilla_projects_nss_ssl_functions_gtstd:
2
3gtstd
4=====
5
6.. container::
7
8   .. note::
9
10      -  This page is part of the :ref:`mozilla_projects_nss_ssl_functions_old_ssl_reference` that
11         we are migrating into the format described in the `MDN Style
12         Guide <https://developer.mozilla.org/en-US/docs/Project:MDC_style_guide>`__. If you are
13         inclined to help with this migration, your help would be very much appreciated.
14
15      -  Upgraded documentation may be found in the :ref:`mozilla_projects_nss_reference`
16
17   .. rubric:: Getting Started With SSL
18      :name: Getting_Started_With_SSL
19
20   --------------
21
22.. _chapter_2_getting_started_with_ssl:
23
24`Chapter 2
25 <#chapter_2_getting_started_with_ssl>`__ Getting Started With SSL
26------------------------------------------------------------------
27
28.. container::
29
30   This chapter describes how to set up your environment, including certificate and key databases.
31
32   |  `SSL, PKCS #11, and the Default Security Databases <#1011970>`__
33   | `Setting Up the Certificate and Key Databases <#1011987>`__
34   | `Building NSS Programs <#1013274>`__
35
36.. _ssl_pkcs_11_and_the_default_security_databases:
37
38`SSL, PKCS #11, and the Default Security Databases <#ssl_pkcs_11_and_the_default_security_databases>`__
39-------------------------------------------------------------------------------------------------------
40
41.. container::
42
43   The basic relationships among the NSS libraries are described in `Introduction to Network
44   Security Services <../../intro.html>`__. Before running the sample programs, it's important to
45   understand the relationships between the SSL interface, the PKCS #11 interface, PKCS #11 modules,
46   and the default Netscape security databases.
47
48   A **PKCS #11 module** (also called a **cryptographic module**) manages cryptographic services
49   such as encryption and decryption via the PKCS #11 interface. PKCS #11 modules can be thought of
50   as drivers for cryptographic devices that can be implemented in either hardware or software.
51   Netscape provides a built-in PKCS #11 module with NSS. Other kinds of PKCS #11 modules include
52   the Netscape FORTEZZA module, used by the government, and the Litronic PKCS #11 module for smart
53   card readers.
54
55   `Figure 2.1 <#1013181>`__ illustrates the relationships between NSPR, SSL, PKCS #11, and the
56   available cryptographic modules. SSL is built on top of NSPR, which handles sockets, threads, and
57   related low-level OS operations. On any given server or client, one or more PKCS #11 modules may
58   be available.
59
60   **Figure 2.1    Relationships among NSS libraries, cryptographic modules, slots, and tokens**
61
62   .. image:: /en-US/docs/Mozilla/Projects/NSS/SSL_functions/gtstd/pkcs.gif
63
64   As shown in the figure, SSL communicates with PKCS #11 modules through the PKCS #11 interface.
65   Any PKCS #11 module that supports PKCS #11 can be used with the NSS libraries. Netscape software
66   uses a file called ``secmod.db`` to keep track of the modules available.
67
68   A PKCS #11 module always has one or more **slots,** which may be implemented as physical hardware
69   slots in some form of physical reader (for example, for smart cards) or as conceptual slots in
70   software. Each slot for a PKCS #11 module can in turn contain a **token,** which is the hardware
71   or software device that actually provides cryptographic services and optionally stores
72   certificates and keys.
73
74   Netscape provides three built-in modules with NSS and with server and client products:
75
76   -  The default Netscape Internal PKCS #11 Module comes with two built-in tokens:
77
78      -  The Generic Crypto Services token performs all cryptographic operations, such as
79         encryption, decryption, and hashing.
80      -  The Communicator Certificate DB token handles all communication with the certificate and
81         key database files (called ``cert``\ *X*\ ``.db`` and ``key``\ *X*\ ``.db``, respectively,
82         where\ *X* is a version number) that store certificates and keys.
83
84   -  The FORTEZZA module is intended for use with FORTEZZA hardware tokens.
85   -  The FIPS 140-1 module is compliant with the FIPS 140-1 government standard for implementations
86      of cryptographic modules. Many products sold to the U.S. government must comply with one or
87      more of the FIPS standards. The FIPS 140-1 module includes a single, built-in FIPS 140-1
88      Certificate DB token (see `Figure 2.1 <#1013181>`__), which handles both cryptographic
89      operations and communication with the ``cert``\ *X*\ ``.db`` and ``key``\ *X*\ ``.db`` files.
90
91   If you are creating a server application, you must use the Certificate Database Tool, which comes
92   with NSS, to create the ``cert``\ *X*\ ``.db`` and ``key``\ *X*\ ``.db`` files and populate them
93   with the appropriate certificates and keys.
94
95   If you are creating a client application, you can use either the Certificate Database Tool or the
96   Communicator security interface to create the database files and populate them with the
97   appropriate certificates and keys. You can use Communicator to set up client certificate
98   databases by obtaining certificates from either a public CA or from a certificate server such as
99   Netscape Certificate Management System. The instructions that follow assume you are using the
100   Certificate Database Tool to set up both the server and client databases for testing purposes.
101
102   You can use the Security Module Database Tool, a command-line utility that comes with NSS, to
103   manage PKCS #11 module information within s\ ``ecmod.db`` files. The Security Module Database
104   Tool allows you to add and delete PKCS #11 modules, change passwords, set defaults, list module
105   contents, enable or disable slots, enable or disable FIPS-140-1 compliance, and assign default
106   providers for cryptographic operations.
107
108.. _setting_up_the_certificate_and_key_databases:
109
110`Setting Up the Certificate and Key Databases <#setting_up_the_certificate_and_key_databases>`__
111------------------------------------------------------------------------------------------------
112
113.. container::
114
115   Before you can run the sample programs (``server.c`` and ``client.c``) that come with NSS, you
116   must set up certificate, key, and security module databases for both the client and the server
117   and populate them with valid CA, client SSL, and server SSL certificates. The following sections
118   decribe how to the Certificate Database Tool to perform these tasks:
119
120   |  `Setting Up the CA DB and Certificate <#1012301>`__
121   | `Setting Up the Server DB and Certificate <#1012351>`__
122   | `Setting Up the Client DB and Certificate <#1012067>`__
123   | `Verifying the Server and Client Certificates <#1012108>`__
124
125      **WARNING:** The instructions below illustrate the use of NSS command line tools to operate a
126      simple root Certificate Authority for test purposes only. The CA, SSL server and SSL client
127      certificates produced by these instructions work correctly for short term testing purposes.
128      Although it is possible to use NSS command line tools to operate a proper CA, these
129      instructions do not provide nearly enough understanding of the many considerations required to
130      competently operate a CA. The NSS teams **strongly** recommends that users should not attempt
131      to operate a CA for use in mission critical production business uses using NSS's command line
132      tools, nor with the simple command line test tools that come with any package of cryptographic
133      libraries. Many who have attempted it have eventually come to regret that decision. For
134      production deployment, the NSS team strongly recommends that you either:
135
136      -  Use certificates from a competent third-party CA that is already known to your relying
137         party software (e.g. your SSL clients), or
138      -  Use professional grade CA software, such as Red Hat's
139         `Dogtag <http://pki.fedoraproject.org/wiki/PKI_Main_Page>`__ `Certificate
140         System <http://www.redhat.com/certificate_system/>`__, to set up and operate your own CA
141         and issue your own certificates.
142
143   For complete information about the command-line options used in the examples that follow, see
144   `Using the Certificate Database Tool <../../tools/certutil.html>`__.
145
146.. _setting_up_the_ca_db_and_certificate:
147
148`Setting Up the CA DB and Certificate <#setting_up_the_ca_db_and_certificate>`__
149~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
150
151.. container::
152
153   Set up the CA with its own separate set of databases.
154
155   #. Create a new certificate database in the ``CA_db`` directory.
156      ``>mkdir CA_db     >certutil -N -d CA_db``
157   #. Create the self-signed Root CA certificate, specifying the subject name for the certificate.
158      ``>certutil -S -d CA_db -n "MyCo's Root CA" -s "CN=My CA,O=MyCo,ST=California,C=US" -t "CT,," -x -2     Enter Password or Pin for "Communicator Certificate DB":``
159   #. Extract the CA certificate from the CA's certificate database to a file.
160      ``>certutil -L -d CA_db -n "MyCo's Root CA" -a -o CA_db/rootca.crt     Enter Password or Pin for "Communicator Certificate DB":``
161   #. Display the contents of the CA's certificate databases.
162      ``>certutil -L -d CA_db``
163
164   The trust flag settings ``"CTu,u,u"`` indicate that the certificate is a CA certificate that is
165   trusted to issue both client (``C``) and server (``T``) SSL certificates. The ``u`` flag
166   indicates that the private key for the CA certificate is present in this set of databases, so the
167   CA can issue SSL client and server certificates with these databases.
168
169.. _setting_up_the_server_db_and_certificate:
170
171`Setting Up the Server DB and Certificate <#setting_up_the_server_db_and_certificate>`__
172~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
173
174.. container::
175
176   The sections that follow describe how to set up the Server DB and certificate:
177
178   #. Create a new certificate database in the ``server_db`` directory.
179      ``>mkdir server_db     >certutil -N -d server_db``
180   #. Import the new CA certificate into the server's certificate database, and mark it trusted for
181      issuing certificates for SSL client and server authentication.
182      ``>certutil -A -d server_db -n "MyCo's Root CA" -t "TC,," -a -i CA_db/rootca.crt``
183   #. Create the server certificate request, specifying the subject name for the server certificate.
184      We make the common name (CN) be identical to the hostname of the server. Note that this step
185      generates the server's private key, so it must be done in the server's database directory.
186      ``>certutil -R -d server_db -s "CN=myco.mcom.org,O=MyCo,ST=California,C=US" -a -o server_db/server.req     Enter Password or Pin for "Communicator Certificate DB":``
187   #. This step simulates the CA signing and issuing a new server certificate based on the server's
188      certificate request. The new cert is signed with the CA's private key, so this operation uses
189      the CA's databases. This step leaves the server's new certificate in a file.
190      ``>certutil -C -d CA_db -c "MyCo's Root CA" -a -i server_db/server.req -o server_db/server.crt -2 -6     Enter Password or Pin for "Communicator Certificate DB":``
191   #. Import (Add) the new server certificate to the server's certificate database in the
192      ``server_db`` directory with the appropriate nickname. Notice that no trust is explicitly
193      needed for this certificate.
194      ``>certutil -A -d server_db -n myco.mcom.org -a -i server_db/server.crt -t ",,"``
195   #. Display the contents of the server's certificate databases.
196      ``>certutil -L -d server_db``
197
198   The trust flag settings ``"u,u,u"`` indicate that the server's databases contain the private key
199   for this certificate. This is necessary for the SSL server to be able to do its job.
200
201.. _setting_up_the_client_db_and_certificate:
202
203`Setting Up the Client DB and Certificate <#setting_up_the_client_db_and_certificate>`__
204~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
205
206.. container::
207
208   Setting up the client certificate database involves three stages:
209
210   #. Create a new certificate database in the ``client_db`` directory.
211      ``>mkdir client_db     >certutil -N -d client_db``
212   #. Import the new CA certificate into the client's certificate database, and mark it trusted for
213      issuing certificates for SSL client and server authentication.
214      ``>certutil -A -d client_db -n "MyCo's Root CA" -t "TC,," -a -i CA_db/rootca.crt``
215   #. Create the client certificate request, specifying the subject name for the certificate.
216      ``>certutil -R -d client_db -s "CN=Joe Client,O=MyCo,ST=California,C=US" -a -o client_db/client.req     Enter Password or Pin for "Communicator Certificate DB":``
217   #. This step simulates the CA signing and issuing a new client certificate based on the client's
218      certificate request. The new cert is signed with the CA's private key, so this operation uses
219      the CA's databases. This step leaves the client's new certificate in a file.
220      ``>certutil -C -d CA_db -c "MyCo's Root CA" -a -i client_db/client.req -o client_db/client.crt -2 -6     Enter Password or Pin for "Communicator Certificate DB":``
221   #. Add the new client certificate to the client's certificate database in the ``client_db``
222      directory with the appropriate nickname. Notice that no trust is required for this
223      certificate.
224      ``>certutil -A -d client_db -n "Joe Client" -a -i client_db/client.crt -t ",,"``
225   #. Display the contents of the client's certificate databases.
226      ``>certutil -L -d client_db``
227
228   The trust flag settings ``"u,u,u"`` indicate that the client's databases contain the private key
229   for this certificate. This is necessary for the SSL client to be able to authenticate to the
230   server.
231
232.. _verifying_the_server_and_client_certificates:
233
234`Verifying the Server and Client Certificates <#verifying_the_server_and_client_certificates>`__
235~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
236
237.. container::
238
239   When you have finished setting up the server and client certificate databases, verify that the
240   client and server certificates are valid, as follows:
241
242   ``>certutil -V -d server_db -u V -n myco.mcom.org certutil: certificate is valid``
243
244   ``>certutil -V -d client_db -u C -n "Joe Client" certutil: certificate is valid``
245
246.. _building_nss_programs:
247
248`Building NSS Programs <#building_nss_programs>`__
249--------------------------------------------------
250
251.. container::
252
253   On Unix, use the GNU utility ``gmake`` to run the makefile. On Windows NT, use the ``nmake``
254   utility that comes with Visual C++.
255
256   If you create your own makefiles, be sure to include the libraries in the same order that they
257   are listed in the sample makefiles. In addition, you must use the following compiler flags:
258
259   Solaris flags:
260
261   ``-c -O -KPIC -DSVR4 -DSYSV -D__svr4 -D__svr4__ -DSOLARIS -D_REENTRANT -DSOLARIS2_5 -D_SVID_GETTOD -DXP_UNIX -UDEBUG -DNDEBUG``
262
263   Windows NT flags:
264
265   ``-c -O2 -MD -W3 -nologo -D_X86_ -GT -DWINNT -DXP_PC -UDEBUG -U_DEBUG -DNDEBUG -DWIN32 -D_WINDOWS``