1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
|
.. _mozilla_projects_nss_tools_signtool:
NSS tools : signtool
====================
.. container::
| Name
| signtool — Digitally sign objects and files.
| Synopsis
| signtool [-k keyName] `-h <-h>`__ `-H <-H>`__ `-l <-l>`__ `-L <-L>`__ `-M <-M>`__
`-v <-v>`__ `-w <-w>`__
| `-G nickname <-G_nickname>`__ `-s size <--keysize>`__ `-b basename <-b_basename>`__ [[-c
Compression
| Level] ] [[-d cert-dir] ] [[-i installer script] ] [[-m metafile] ] [[-x
| name] ] [[-f filename] ] [[-t|--token tokenname] ] [[-e extension] ] [[-o]
| ] [[-z] ] [[-X] ] [[--outfile] ] [[--verbose value] ] [[--norecurse] ]
| [[--leavearc] ] [[-j directory] ] [[-Z jarfile] ] [[-O] ] [[-p password] ]
| [directory-tree] [archive]
| Description
| The Signing Tool, signtool, creates digital signatures and uses a Java
| Archive (JAR) file to associate the signatures with files in a directory.
| Electronic software distribution over any network involves potential
| security problems. To help address some of these problems, you can
| associate digital signatures with the files in a JAR archive. Digital
| signatures allow SSL-enabled clients to perform two important operations:
| \* Confirm the identity of the individual, company, or other entity whose
| digital signature is associated with the files
| \* Check whether the files have been tampered with since being signed
| If you have a signing certificate, you can use Netscape Signing Tool to
| digitally sign files and package them as a JAR file. An object-signing
| certificate is a special kind of certificate that allows you to associate
| your digital signature with one or more files.
| An individual file can potentially be signed with multiple digital
| signatures. For example, a commercial software developer might sign the
| files that constitute a software product to prove that the files are
| indeed from a particular company. A network administrator manager might
| sign the same files with an additional digital signature based on a
| company-generated certificate to indicate that the product is approved for
| use within the company.
| The significance of a digital signature is comparable to the significance
| of a handwritten signature. Once you have signed a file, it is difficult
| to claim later that you didn't sign it. In some situations, a digital
| signature may be considered as legally binding as a handwritten signature.
| Therefore, you should take great care to ensure that you can stand behind
| any file you sign and distribute.
| For example, if you are a software developer, you should test your code to
| make sure it is virus-free before signing it. Similarly, if you are a
| network administrator, you should make sure, before signing any code, that
| it comes from a reliable source and will run correctly with the software
| installed on the machines to which you are distributing it.
| Before you can use Netscape Signing Tool to sign files, you must have an
| object-signing certificate, which is a special certificate whose
| associated private key is used to create digital signatures. For testing
| purposes only, you can create an object-signing certificate with Netscape
| Signing Tool 1.3. When testing is finished and you are ready to
| disitribute your software, you should obtain an object-signing certificate
| from one of two kinds of sources:
| \* An independent certificate authority (CA) that authenticates your
| identity and charges you a fee. You typically get a certificate from an
| independent CA if you want to sign software that will be distributed over
| the Internet.
| \* CA server software running on your corporate intranet or extranet.
| Netscape Certificate Management System provides a complete management
| solution for creating, deploying, and managing certificates, including CAs
| that issue object-signing certificates.
| You must also have a certificate for the CA that issues your signing
| certificate before you can sign files. If the certificate authority's
| certificate isn't already installed in your copy of Communicator, you
| typically install it by clicking the appropriate link on the certificate
| authority's web site, for example on the page from which you initiated
| enrollment for your signing certificate. This is the case for some test
| certificates, as well as certificates issued by Netscape Certificate
| Management System: you must download the CA certificate in addition to
| obtaining your own signing certificate. CA certificates for several
| certificate authorities are preinstalled in the Communicator certificate
| database.
| When you receive an object-signing certificate for your own use, it is
| automatically installed in your copy of the Communicator client software.
| Communicator supports the public-key cryptography standard known as PKCS
| #12, which governs key portability. You can, for example, move an
| object-signing certificate and its associated private key from one
| computer to another on a credit-card-sized device called a smart card.
| Options
| -b basename
| Specifies the base filename for the .rsa and .sf files in the
| META-INF directory to conform with the JAR format. For example, -b
| signatures causes the files to be named signatures.rsa and
| signatures.sf. The default is signtool.
| -c#
| Specifies the compression level for the -J or -Z option. The
| symbol # represents a number from 0 to 9, where 0 means no
| compression and 9 means maximum compression. The higher the level
| of compression, the smaller the output but the longer the
| operation takes. If the -c# option is not used with either the -J
| or the -Z option, the default compression value used by both the
| -J and -Z options is 6.
| -d certdir
| Specifies your certificate database directory; that is, the
| directory in which you placed your key3.db and cert7.db files. To
| specify the current directory, use "-d." (including the period).
| The Unix version of signtool assumes ~/.netscape unless told
| otherwise. The NT version of signtool always requires the use of
| the -d option to specify where the database files are located.
| -e extension
| Tells signtool to sign only files with the given extension; for
| example, use -e".class" to sign only Java class files. Note that
| with Netscape Signing Tool version 1.1 and later this option can
| appear multiple times on one command line, making it possible to
| specify multiple file types or classes to include.
| -f commandfile
| Specifies a text file containing Netscape Signing Tool options and
| arguments in keyword=value format. All options and arguments can
| be expressed through this file. For more information about the
| syntax used with this file, see "Tips and Techniques".
| -i scriptname
| Specifies the name of an installer script for SmartUpdate. This
| script installs files from the JAR archive in the local system
| after SmartUpdate has validated the digital signature. For more
| details, see the description of -m that follows. The -i option
| provides a straightforward way to provide this information if you
| don't need to specify any metadata other than an installer script.
| -j directory
| Specifies a special JavaScript directory. This option causes the
| specified directory to be signed and tags its entries as inline
| JavaScript. This special type of entry does not have to appear in
| the JAR file itself. Instead, it is located in the HTML page
| containing the inline scripts. When you use signtool -v, these
| entries are displayed with the string NOT PRESENT.
| -k key ... directory
| Specifies the nickname (key) of the certificate you want to sign
| with and signs the files in the specified directory. The directory
| to sign is always specified as the last command-line argument.
| Thus, it is possible to write signtool -k MyCert -d . signdir You
| may have trouble if the nickname contains a single quotation mark.
| To avoid problems, escape the quotation mark using the escape
| conventions for your platform. It's also possible to use the -k
| option without signing any files or specifying a directory. For
| example, you can use it with the -l option to get detailed
| information about a particular signing certificate.
| -G nickname
| Generates a new private-public key pair and corresponding
| object-signing certificate with the given nickname. The newly
| generated keys and certificate are installed into the key and
| certificate databases in the directory specified by the -d option.
| With the NT version of Netscape Signing Tool, you must use the -d
| option with the -G option. With the Unix version of Netscape
| Signing Tool, omitting the -d option causes the tool to install
| the keys and certificate in the Communicator key and certificate
| databases. If you are installing the keys and certificate in the
| Communicator databases, you must exit Communicator before using
| this option; otherwise, you risk corrupting the databases. In all
| cases, the certificate is also output to a file named x509.cacert,
| which has the MIME-type application/x-x509-ca-cert. Unlike
| certificates normally used to sign finished code to be distributed
| over a network, a test certificate created with -G is not signed
| by a recognized certificate authority. Instead, it is self-signed.
| In addition, a single test signing certificate functions as both
| an object-signing certificate and a CA. When you are using it to
| sign objects, it behaves like an object-signing certificate. When
| it is imported into browser software such as Communicator, it
| behaves like an object-signing CA and cannot be used to sign
| objects. The -G option is available in Netscape Signing Tool 1.0
| and later versions only. By default, it produces only RSA
| certificates with 1024-byte keys in the internal token. However,
| you can use the -s option specify the required key size and the -t
| option to specify the token. For more information about the use of
| the -G option, see "Generating Test Object-Signing
| Certificates""Generating Test Object-Signing Certificates" on page
| 1241.
| -l
| Lists signing certificates, including issuing CAs. If any of your
| certificates are expired or invalid, the list will so specify.
| This option can be used with the -k option to list detailed
| information about a particular signing certificate. The -l option
| is available in Netscape Signing Tool 1.0 and later versions only.
| -J
| Signs a directory of HTML files containing JavaScript and creates
| as many archive files as are specified in the HTML tags. Even if
| signtool creates more than one archive file, you need to supply
| the key database password only once. The -J option is available
| only in Netscape Signing Tool 1.0 and later versions. The -J
| option cannot be used at the same time as the -Z option. If the
| -c# option is not used with the -J option, the default compression
| value is 6. Note that versions 1.1 and later of Netscape Signing
| Tool correctly recognizes the CODEBASE attribute, allows paths to
| be expressed for the CLASS and SRC attributes instead of filenames
| only, processes LINK tags and parses HTML correctly, and offers
| clearer error messages.
| -L
| Lists the certificates in your database. An asterisk appears to
| the left of the nickname for any certificate that can be used to
| sign objects with signtool.
| --leavearc
| Retains the temporary .arc (archive) directories that the -J
| option creates. These directories are automatically erased by
| default. Retaining the temporary directories can be an aid to
| debugging.
| -m metafile
| Specifies the name of a metadata control file. Metadata is signed
| information attached either to the JAR archive itself or to files
| within the archive. This metadata can be any ASCII string, but is
| used mainly for specifying an installer script. The metadata file
| contains one entry per line, each with three fields: field #1:
| file specification, or + if you want to specify global metadata
| (that is, metadata about the JAR archive itself or all entries in
| the archive) field #2: the name of the data you are specifying;
| for example: Install-Script field #3: data corresponding to the
| name in field #2 For example, the -i option uses the equivalent of
| this line: + Install-Script: script.js This example associates a
| MIME type with a file: movie.qt MIME-Type: video/quicktime For
| information about the way installer script information appears in
| the manifest file for a JAR archive, see The JAR Format on
| Netscape DevEdge.
| -M
| Lists the PKCS #11 modules available to signtool, including smart
| cards. The -M option is available in Netscape Signing Tool 1.0 and
| later versions only. For information on using Netscape Signing
| Tool with smart cards, see "Using Netscape Signing Tool with Smart
| Cards". For information on using the -M option to verify
| FIPS-140-1 validated mode, see "Netscape Signing Tool and
| FIPS-140-1".
| --norecurse
| Blocks recursion into subdirectories when signing a directory's
| contents or when parsing HTML.
| -o
| Optimizes the archive for size. Use this only if you are signing
| very large archives containing hundreds of files. This option
| makes the manifest files (required by the JAR format) considerably
| smaller, but they contain slightly less information.
| --outfile outputfile
| Specifies a file to receive redirected output from Netscape
| Signing Tool.
| -p password
| Specifies a password for the private-key database. Note that the
| password entered on the command line is displayed as plain text.
| -s keysize
| Specifies the size of the key for generated certificate. Use the
| -M option to find out what tokens are available. The -s option can
| be used with the -G option only.
| -t token
| Specifies which available token should generate the key and
| receive the certificate. Use the -M option to find out what tokens
| are available. The -t option can be used with the -G option only.
| -v archive
| Displays the contents of an archive and verifies the cryptographic
| integrity of the digital signatures it contains and the files with
| which they are associated. This includes checking that the
| certificate for the issuer of the object-signing certificate is
| listed in the certificate database, that the CA's digital
| signature on the object-signing certificate is valid, that the
| relevant certificates have not expired, and so on.
| --verbosity value
| Sets the quantity of information Netscape Signing Tool generates
| in operation. A value of 0 (zero) is the default and gives full
| information. A value of -1 suppresses most messages, but not error
| messages.
| -w archive
| Displays the names of signers of any files in the archive.
| -x directory
| Excludes the specified directory from signing. Note that with
| Netscape Signing Tool version 1.1 and later this option can appear
| multiple times on one command line, making it possible to specify
| several particular directories to exclude.
| -z
| Tells signtool not to store the signing time in the digital
| signature. This option is useful if you want the expiration date
| of the signature checked against the current date and time rather
| than the time the files were signed.
| -Z jarfile
| Creates a JAR file with the specified name. You must specify this
| option if you want signtool to create the JAR file; it does not do
| so automatically. If you don't specify -Z, you must use an
| external ZIP tool to create the JAR file. The -Z option cannot be
| used at the same time as the -J option. If the -c# option is not
| used with the -Z option, the default compression value is 6.
| The Command File Format
| Entries in a Netscape Signing Tool command file have this general format:
| keyword=value Everything before the = sign on a single line is a keyword,
| and everything from the = sign to the end of line is a value. The value
| may include = signs; only the first = sign on a line is interpreted. Blank
| lines are ignored, but white space on a line with keywords and values is
| assumed to be part of the keyword (if it comes before the equal sign) or
| part of the value (if it comes after the first equal sign). Keywords are
| case insensitive, values are generally case sensitive. Since the = sign
| and newline delimit the value, it should not be quoted.
| Subsection
| basename
| Same as -b option.
| compression
| Same as -c option.
| certdir
| Same as -d option.
| extension
| Same as -e option.
| generate
| Same as -G option.
| installscript
| Same as -i option.
| javascriptdir
| Same as -j option.
| htmldir
| Same as -J option.
| certname
| Nickname of certificate, as with -k and -l -k options.
| signdir
| The directory to be signed, as with -k option.
| list
| Same as -l option. Value is ignored, but = sign must be present.
| listall
| Same as -L option. Value is ignored, but = sign must be present.
| metafile
| Same as -m option.
| modules
| Same as -M option. Value is ignored, but = sign must be present.
| optimize
| Same as -o option. Value is ignored, but = sign must be present.
| password
| Same as -p option.
| keysize
| Same as -s option.
| token
| Same as -t option.
| verify
| Same as -v option.
| who
| Same as -w option.
| exclude
| Same as -x option.
| notime
| Same as -z option. value is ignored, but = sign must be present.
| jarfile
| Same as -Z option.
| outfile
| Name of a file to which output and error messages will be
| redirected. This option has no command-line equivalent.
| Extended Examples
| The following example will do this and that
| Listing Available Signing Certificates
| You use the -L option to list the nicknames for all available certificates
| and check which ones are signing certificates.
| signtool -L
| using certificate directory: /u/jsmith/.netscape
| S Certificates
| - ------------
| BBN Certificate Services CA Root 1
| IBM World Registry CA
| VeriSign Class 1 CA - Individual Subscriber - VeriSign, Inc.
| GTE CyberTrust Root CA
| Uptime Group Plc. Class 4 CA
| \* Verisign Object Signing Cert
| Integrion CA
| GTE CyberTrust Secure Server CA
| AT&T Directory Services
| \* test object signing cert
| Uptime Group Plc. Class 1 CA
| VeriSign Class 1 Primary CA
| - ------------
| Certificates that can be used to sign objects have \*'s to their left.
| Two signing certificates are displayed: Verisign Object Signing Cert and
| test object signing cert.
| You use the -l option to get a list of signing certificates only,
| including the signing CA for each.
| signtool -l
| using certificate directory: /u/jsmith/.netscape
| Object signing certificates
| ---------------------------------------
| Verisign Object Signing Cert
| Issued by: VeriSign, Inc. - Verisign, Inc.
| Expires: Tue May 19, 1998
| test object signing cert
| Issued by: test object signing cert (Signtool 1.0 Testing
| Certificate (960187691))
| Expires: Sun May 17, 1998
| ---------------------------------------
| For a list including CAs, use the -L option.
| Signing a File
| 1. Create an empty directory.
| mkdir signdir
| 2. Put some file into it.
| echo boo > signdir/test.f
| 3. Specify the name of your object-signing certificate and sign the
| directory.
| signtool -k MySignCert -Z testjar.jar signdir
| using key "MySignCert"
| using certificate directory: /u/jsmith/.netscape
| Generating signdir/META-INF/manifest.mf file..
| --> test.f
| adding signdir/test.f to testjar.jar
| Generating signtool.sf file..
| Enter Password or Pin for "Communicator Certificate DB":
| adding signdir/META-INF/manifest.mf to testjar.jar
| adding signdir/META-INF/signtool.sf to testjar.jar
| adding signdir/META-INF/signtool.rsa to testjar.jar
| tree "signdir" signed successfully
| 4. Test the archive you just created.
| signtool -v testjar.jar
| using certificate directory: /u/jsmith/.netscape
| archive "testjar.jar" has passed crypto verification.
| status path
| ------------ -------------------
| verified test.f
| Using Netscape Signing Tool with a ZIP Utility
| To use Netscape Signing Tool with a ZIP utility, you must have the utility
| in your path environment variable. You should use the zip.exe utility
| rather than pkzip.exe, which cannot handle long filenames. You can use a
| ZIP utility instead of the -Z option to package a signed archive into a
| JAR file after you have signed it:
| cd signdir
| zip -r ../myjar.jar \*
| adding: META-INF/ (stored 0%)
| adding: META-INF/manifest.mf (deflated 15%)
| adding: META-INF/signtool.sf (deflated 28%)
| adding: META-INF/signtool.rsa (stored 0%)
| adding: text.txt (stored 0%)
| Generating the Keys and Certificate
| The signtool option -G generates a new public-private key pair and
| certificate. It takes the nickname of the new certificate as an argument.
| The newly generated keys and certificate are installed into the key and
| certificate databases in the directory specified by the -d option. With
| the NT version of Netscape Signing Tool, you must use the -d option with
| the -G option. With the Unix version of Netscape Signing Tool, omitting
| the -d option causes the tool to install the keys and certificate in the
| Communicator key and certificate databases. In all cases, the certificate
| is also output to a file named x509.cacert, which has the MIME-type
| application/x-x509-ca-cert.
| Certificates contain standard information about the entity they identify,
| such as the common name and organization name. Netscape Signing Tool
| prompts you for this information when you run the command with the -G
| option. However, all of the requested fields are optional for test
| certificates. If you do not enter a common name, the tool provides a
| default name. In the following example, the user input is in boldface:
| signtool -G MyTestCert
| using certificate directory: /u/someuser/.netscape
| Enter certificate information. All fields are optional. Acceptable
| characters are numbers, letters, spaces, and apostrophes.
| certificate common name: Test Object Signing Certificate
| organization: Netscape Communications Corp.
| organization unit: Server Products Division
| state or province: California
| country (must be exactly 2 characters): US
| username: someuser
| email address: someuser@netscape.com
| Enter Password or Pin for "Communicator Certificate DB": [Password will not echo]
| generated public/private key pair
| certificate request generated
| certificate has been signed
| certificate "MyTestCert" added to database
| Exported certificate to x509.raw and x509.cacert.
| The certificate information is read from standard input. Therefore, the
| information can be read from a file using the redirection operator (<) in
| some operating systems. To create a file for this purpose, enter each of
| the seven input fields, in order, on a separate line. Make sure there is a
| newline character at the end of the last line. Then run signtool with
| standard input redirected from your file as follows:
| signtool -G MyTestCert inputfile
| The prompts show up on the screen, but the responses will be automatically
| read from the file. The password will still be read from the console
| unless you use the -p option to give the password on the command line.
| Using the -M Option to List Smart Cards
| You can use the -M option to list the PKCS #11 modules, including smart
| cards, that are available to signtool:
| signtool -d "c:\netscape\users\jsmith" -M
| using certificate directory: c:\netscape\users\username
| Listing of PKCS11 modules
| -----------------------------------------------
| 1. Netscape Internal PKCS #11 Module
| (this module is internally loaded)
| slots: 2 slots attached
| status: loaded
| slot: Communicator Internal Cryptographic Services Version 4.0
| token: Communicator Generic Crypto Svcs
| slot: Communicator User Private Key and Certificate Services
| token: Communicator Certificate DB
| 2. CryptOS
| (this is an external module)
| DLL name: core32
| slots: 1 slots attached
| status: loaded
| slot: Litronic 210
| token:
| -----------------------------------------------
| Using Netscape Signing Tool and a Smart Card to Sign Files
| The signtool command normally takes an argument of the -k option to
| specify a signing certificate. To sign with a smart card, you supply only
| the fully qualified name of the certificate.
| To see fully qualified certificate names when you run Communicator, click
| the Security button in Navigator, then click Yours under Certificates in
| the left frame. Fully qualified names are of the format smart
| card:certificate, for example "MyCard:My Signing Cert". You use this name
| with the -k argument as follows:
| signtool -k "MyCard:My Signing Cert" directory
| Verifying FIPS Mode
| Use the -M option to verify that you are using the FIPS-140-1 module.
| signtool -d "c:\netscape\users\jsmith" -M
| using certificate directory: c:\netscape\users\jsmith
| Listing of PKCS11 modules
| -----------------------------------------------
| 1. Netscape Internal PKCS #11 Module
| (this module is internally loaded)
| slots: 2 slots attached
| status: loaded
| slot: Communicator Internal Cryptographic Services Version 4.0
| token: Communicator Generic Crypto Svcs
| slot: Communicator User Private Key and Certificate Services
| token: Communicator Certificate DB
| -----------------------------------------------
| This Unix example shows that Netscape Signing Tool is using a FIPS-140-1
| module:
| signtool -d "c:\netscape\users\jsmith" -M
| using certificate directory: c:\netscape\users\jsmith
| Enter Password or Pin for "Communicator Certificate DB": [password will not echo]
| Listing of PKCS11 modules
| -----------------------------------------------
| 1. Netscape Internal FIPS PKCS #11 Module
| (this module is internally loaded)
| slots: 1 slots attached
| status: loaded
| slot: Netscape Internal FIPS-140-1 Cryptographic Services
| token: Communicator Certificate DB
| -----------------------------------------------
| See Also
| signver (1)
| The NSS wiki has information on the new database design and how to
| configure applications to use it.
| o https://wiki.mozilla.org/NSS_Shared_DB_Howto
| o https://wiki.mozilla.org/NSS_Shared_DB
| Additional Resources
| For information about NSS and other tools related to NSS (like JSS), check
| out the NSS project wiki at
|
[1]\ `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__.
The NSS site relates
| directly to NSS code changes and releases.
| Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto
| IRC: Freenode at #dogtag-pki
| Authors
| The NSS tools were written and maintained by developers with Netscape, Red
| Hat, and Sun.
| Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey
| <dlackey@redhat.com>.
| Copyright
| (c) 2010, Red Hat, Inc. Licensed under the GNU Public License version 2.
| References
| Visible links
| 1.
`http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__
|
