Table of Contents
Advertisement
Whether you use an internal token or an external token for generating and storing
key pairs, CMS always maintains its list of trusted and untrusted CA certificates in
its internal token.
You may need to add new certificates to the database, remove unwanted
certificates from the database, or change the trust settings of CA certificates in the
database. This section explains how to view the contents of the certificate database,
delete unwanted certificates, and change the trust settings of CA certificates
installed in the database using the CMS window. For information on adding
certificates to the database, see "Certificate Setup Wizard" on page 298.
CMS also provides a command-line utility called
NOTE
managing its certificate database. For details about this tool, check
this site:
http://www.mozilla.org/projects/security/pki/nss/tools/
Viewing and Deleting Certificate Database
Content
As an administrator, you should periodically check the contents of the certificate
database and make sure that it doesn't include any unwanted CA certificates. For
example, if the database includes CA certificates that you don't ever want to trust
in your PKI setup, you should delete them.
Removing unwanted certificates also reduces the size of the certificate database.
NOTE
When deleting CA certificates from the certificate database, be
careful not to delete the intermediate CA certificates, which help a
subsystem chain up to the trusted CA certificate. If in doubt, leave
the certificates in the database as untrusted CA certificates; see
"Changing the Trust Settings of a CA Certificate" on page 296.
To view the contents of the database:
Log in to the CMS window (see "Logging Into the CMS Console" on page 247).
1.
Select the Configuration tab, and then in the right pane, select the Encryption
2.
tab.
Managing the Certificate Database
certutil
Chapter 7
Administrative Basics
for
295
Advertisement
Table of Contents
