Bootstrapping

This is how we get the list of trusted roots and the intermediates file.

This process has already been done for you, you don't need to repeat it unless you want updated data.

  1. Download an updated list of trusted roots:

    $ SRC="http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1"
$ curl -s "$SRC" > var/mozilla-certdata.txt
$ bin/bootstrap-trusted-pems-from-mozilla-certdata < var/mozilla-certdata.txt > var/pools/trusted.pem

  2. Generate the intermediates pool:

    $ bin/bootstrap-detect-intermediates var/all-the-certs.pem

    The var/all-the-certs.pem is a pool of assorted certificates to extract intermediates from. You'll have to compile this file yourself.

    If circular chains are detected, all members of them will be rejected and printed to stderr. You can resolve the cycle manually, and decide which certificate(s) to exclude to break the cycle. Add those to var/pools/excluded.pem and generate the intermediates pool again.

This readme is very outdated and incomplete now. Enjoy :P

ssltool-complete-chain

Re-orders and completes a chain for a given certificate.

More precisely, it takes any string as input, scans for PEMs, detects one that is a certificate for a domain name, then goes on to complete its chain, in correct order.

The pool of possible chain completions are whatever other certificates that are passed as input, plus all certificates in the intermediate and trusted pools (see var/pools/).

The output is the correct and complete chain. Everything else from the input is discarded.

If the chain is incomplete, untrusted, or the certificate is self-signed, warnings will be printed to stderr.

Usage

ssltool-complete-chain can work with either stdin or file arguments, so all of the below are valid:

### pipe a file in:
$ ssltool-complete-chain < example.com.pem

### pass multiple file names as arguments:
$ ssltool-complete-chain example.com.pem issuer-intermediates.pem

### pass a file descriptor from a command's stdout:
$ ssltool-complete-chain <(pbpaste)

### or just pipe that command in:
$ pbpaste | ssltool-complete-chain