tor-browser

index.rst (31738B)

---

.. _mozilla_projects_nss_tools_signtool:

NSS tools : signtool
====================

.. container::

  | Name
  |    signtool — Digitally sign objects and files.
  | Synopsis
  |    signtool [-k keyName] `-h <-h>`__ `-H <-H>`__ `-l <-l>`__ `-L <-L>`__ `-M <-M>`__
    `-v <-v>`__ `-w <-w>`__
  |    `-G nickname <-G_nickname>`__ `-s size <--keysize>`__ `-b basename <-b_basename>`__ [[-c
    Compression
  |    Level] ] [[-d cert-dir] ] [[-i installer script] ] [[-m metafile] ] [[-x
  |    name] ] [[-f filename] ] [[-t|--token tokenname] ] [[-e extension] ] [[-o]
  |    ] [[-z] ] [[-X] ] [[--outfile] ] [[--verbose value] ] [[--norecurse] ]
  |    [[--leavearc] ] [[-j directory] ] [[-Z jarfile] ] [[-O] ] [[-p password] ]
  |    [directory-tree] [archive]
  | Description
  |    The Signing Tool, signtool, creates digital signatures and uses a Java
  |    Archive (JAR) file to associate the signatures with files in a directory.
  |    Electronic software distribution over any network involves potential
  |    security problems. To help address some of these problems, you can
  |    associate digital signatures with the files in a JAR archive. Digital
  |    signatures allow SSL-enabled clients to perform two important operations:
  |    \* Confirm the identity of the individual, company, or other entity whose
  |    digital signature is associated with the files
  |    \* Check whether the files have been tampered with since being signed
  |    If you have a signing certificate, you can use Netscape Signing Tool to
  |    digitally sign files and package them as a JAR file. An object-signing
  |    certificate is a special kind of certificate that allows you to associate
  |    your digital signature with one or more files.
  |    An individual file can potentially be signed with multiple digital
  |    signatures. For example, a commercial software developer might sign the
  |    files that constitute a software product to prove that the files are
  |    indeed from a particular company. A network administrator manager might
  |    sign the same files with an additional digital signature based on a
  |    company-generated certificate to indicate that the product is approved for
  |    use within the company.
  |    The significance of a digital signature is comparable to the significance
  |    of a handwritten signature. Once you have signed a file, it is difficult
  |    to claim later that you didn't sign it. In some situations, a digital
  |    signature may be considered as legally binding as a handwritten signature.
  |    Therefore, you should take great care to ensure that you can stand behind
  |    any file you sign and distribute.
  |    For example, if you are a software developer, you should test your code to
  |    make sure it is virus-free before signing it. Similarly, if you are a
  |    network administrator, you should make sure, before signing any code, that
  |    it comes from a reliable source and will run correctly with the software
  |    installed on the machines to which you are distributing it.
  |    Before you can use Netscape Signing Tool to sign files, you must have an
  |    object-signing certificate, which is a special certificate whose
  |    associated private key is used to create digital signatures. For testing
  |    purposes only, you can create an object-signing certificate with Netscape
  |    Signing Tool 1.3. When testing is finished and you are ready to
  |    disitribute your software, you should obtain an object-signing certificate
  |    from one of two kinds of sources:
  |    \* An independent certificate authority (CA) that authenticates your
  |    identity and charges you a fee. You typically get a certificate from an
  |    independent CA if you want to sign software that will be distributed over
  |    the Internet.
  |    \* CA server software running on your corporate intranet or extranet.
  |    Netscape Certificate Management System provides a complete management
  |    solution for creating, deploying, and managing certificates, including CAs
  |    that issue object-signing certificates.
  |    You must also have a certificate for the CA that issues your signing
  |    certificate before you can sign files. If the certificate authority's
  |    certificate isn't already installed in your copy of Communicator, you
  |    typically install it by clicking the appropriate link on the certificate
  |    authority's web site, for example on the page from which you initiated
  |    enrollment for your signing certificate. This is the case for some test
  |    certificates, as well as certificates issued by Netscape Certificate
  |    Management System: you must download the CA certificate in addition to
  |    obtaining your own signing certificate. CA certificates for several
  |    certificate authorities are preinstalled in the Communicator certificate
  |    database.
  |    When you receive an object-signing certificate for your own use, it is
  |    automatically installed in your copy of the Communicator client software.
  |    Communicator supports the public-key cryptography standard known as PKCS
  |    #12, which governs key portability. You can, for example, move an
  |    object-signing certificate and its associated private key from one
  |    computer to another on a credit-card-sized device called a smart card.
  | Options
  |    -b basename
  |            Specifies the base filename for the .rsa and .sf files in the
  |            META-INF directory to conform with the JAR format. For example, -b
  |            signatures causes the files to be named signatures.rsa and
  |            signatures.sf. The default is signtool.
  |    -c#
  |            Specifies the compression level for the -J or -Z option. The
  |            symbol # represents a number from 0 to 9, where 0 means no
  |            compression and 9 means maximum compression. The higher the level
  |            of compression, the smaller the output but the longer the
  |            operation takes. If the -c# option is not used with either the -J
  |            or the -Z option, the default compression value used by both the
  |            -J and -Z options is 6.
  |    -d certdir
  |            Specifies your certificate database directory; that is, the
  |            directory in which you placed your key3.db and cert7.db files. To
  |            specify the current directory, use "-d." (including the period).
  |            The Unix version of signtool assumes ~/.netscape unless told
  |            otherwise. The NT version of signtool always requires the use of
  |            the -d option to specify where the database files are located.
  |    -e extension
  |            Tells signtool to sign only files with the given extension; for
  |            example, use -e".class" to sign only Java class files. Note that
  |            with Netscape Signing Tool version 1.1 and later this option can
  |            appear multiple times on one command line, making it possible to
  |            specify multiple file types or classes to include.
  |    -f commandfile
  |            Specifies a text file containing Netscape Signing Tool options and
  |            arguments in keyword=value format. All options and arguments can
  |            be expressed through this file. For more information about the
  |            syntax used with this file, see "Tips and Techniques".
  |    -i scriptname
  |            Specifies the name of an installer script for SmartUpdate. This
  |            script installs files from the JAR archive in the local system
  |            after SmartUpdate has validated the digital signature. For more
  |            details, see the description of -m that follows. The -i option
  |            provides a straightforward way to provide this information if you
  |            don't need to specify any metadata other than an installer script.
  |    -j directory
  |            Specifies a special JavaScript directory. This option causes the
  |            specified directory to be signed and tags its entries as inline
  |            JavaScript. This special type of entry does not have to appear in
  |            the JAR file itself. Instead, it is located in the HTML page
  |            containing the inline scripts. When you use signtool -v, these
  |            entries are displayed with the string NOT PRESENT.
  |    -k key ... directory
  |            Specifies the nickname (key) of the certificate you want to sign
  |            with and signs the files in the specified directory. The directory
  |            to sign is always specified as the last command-line argument.
  |            Thus, it is possible to write signtool -k MyCert -d . signdir You
  |            may have trouble if the nickname contains a single quotation mark.
  |            To avoid problems, escape the quotation mark using the escape
  |            conventions for your platform. It's also possible to use the -k
  |            option without signing any files or specifying a directory. For
  |            example, you can use it with the -l option to get detailed
  |            information about a particular signing certificate.
  |    -G nickname
  |            Generates a new private-public key pair and corresponding
  |            object-signing certificate with the given nickname. The newly
  |            generated keys and certificate are installed into the key and
  |            certificate databases in the directory specified by the -d option.
  |            With the NT version of Netscape Signing Tool, you must use the -d
  |            option with the -G option. With the Unix version of Netscape
  |            Signing Tool, omitting the -d option causes the tool to install
  |            the keys and certificate in the Communicator key and certificate
  |            databases. If you are installing the keys and certificate in the
  |            Communicator databases, you must exit Communicator before using
  |            this option; otherwise, you risk corrupting the databases. In all
  |            cases, the certificate is also output to a file named x509.cacert,
  |            which has the MIME-type application/x-x509-ca-cert. Unlike
  |            certificates normally used to sign finished code to be distributed
  |            over a network, a test certificate created with -G is not signed
  |            by a recognized certificate authority. Instead, it is self-signed.
  |            In addition, a single test signing certificate functions as both
  |            an object-signing certificate and a CA. When you are using it to
  |            sign objects, it behaves like an object-signing certificate. When
  |            it is imported into browser software such as Communicator, it
  |            behaves like an object-signing CA and cannot be used to sign
  |            objects. The -G option is available in Netscape Signing Tool 1.0
  |            and later versions only. By default, it produces only RSA
  |            certificates with 1024-byte keys in the internal token. However,
  |            you can use the -s option specify the required key size and the -t
  |            option to specify the token. For more information about the use of
  |            the -G option, see "Generating Test Object-Signing
  |            Certificates""Generating Test Object-Signing Certificates" on page
  |            1241.
  |    -l
  |            Lists signing certificates, including issuing CAs. If any of your
  |            certificates are expired or invalid, the list will so specify.
  |            This option can be used with the -k option to list detailed
  |            information about a particular signing certificate. The -l option
  |            is available in Netscape Signing Tool 1.0 and later versions only.
  |    -J
  |            Signs a directory of HTML files containing JavaScript and creates
  |            as many archive files as are specified in the HTML tags. Even if
  |            signtool creates more than one archive file, you need to supply
  |            the key database password only once. The -J option is available
  |            only in Netscape Signing Tool 1.0 and later versions. The -J
  |            option cannot be used at the same time as the -Z option. If the
  |            -c# option is not used with the -J option, the default compression
  |            value is 6. Note that versions 1.1 and later of Netscape Signing
  |            Tool correctly recognizes the CODEBASE attribute, allows paths to
  |            be expressed for the CLASS and SRC attributes instead of filenames
  |            only, processes LINK tags and parses HTML correctly, and offers
  |            clearer error messages.
  |    -L
  |            Lists the certificates in your database. An asterisk appears to
  |            the left of the nickname for any certificate that can be used to
  |            sign objects with signtool.
  |    --leavearc
  |            Retains the temporary .arc (archive) directories that the -J
  |            option creates. These directories are automatically erased by
  |            default. Retaining the temporary directories can be an aid to
  |            debugging.
  |    -m metafile
  |            Specifies the name of a metadata control file. Metadata is signed
  |            information attached either to the JAR archive itself or to files
  |            within the archive. This metadata can be any ASCII string, but is
  |            used mainly for specifying an installer script. The metadata file
  |            contains one entry per line, each with three fields: field #1:
  |            file specification, or + if you want to specify global metadata
  |            (that is, metadata about the JAR archive itself or all entries in
  |            the archive) field #2: the name of the data you are specifying;
  |            for example: Install-Script field #3: data corresponding to the
  |            name in field #2 For example, the -i option uses the equivalent of
  |            this line: + Install-Script: script.js This example associates a
  |            MIME type with a file: movie.qt MIME-Type: video/quicktime For
  |            information about the way installer script information appears in
  |            the manifest file for a JAR archive, see The JAR Format on
  |            Netscape DevEdge.
  |    -M
  |            Lists the PKCS #11 modules available to signtool, including smart
  |            cards. The -M option is available in Netscape Signing Tool 1.0 and
  |            later versions only. For information on using Netscape Signing
  |            Tool with smart cards, see "Using Netscape Signing Tool with Smart
  |            Cards". For information on using the -M option to verify
  |            FIPS-140-1 validated mode, see "Netscape Signing Tool and
  |            FIPS-140-1".
  |    --norecurse
  |            Blocks recursion into subdirectories when signing a directory's
  |            contents or when parsing HTML.
  |    -o
  |            Optimizes the archive for size. Use this only if you are signing
  |            very large archives containing hundreds of files. This option
  |            makes the manifest files (required by the JAR format) considerably
  |            smaller, but they contain slightly less information.
  |    --outfile outputfile
  |            Specifies a file to receive redirected output from Netscape
  |            Signing Tool.
  |    -p password
  |            Specifies a password for the private-key database. Note that the
  |            password entered on the command line is displayed as plain text.
  |    -s keysize
  |            Specifies the size of the key for generated certificate. Use the
  |            -M option to find out what tokens are available. The -s option can
  |            be used with the -G option only.
  |    -t token
  |            Specifies which available token should generate the key and
  |            receive the certificate. Use the -M option to find out what tokens
  |            are available. The -t option can be used with the -G option only.
  |    -v archive
  |            Displays the contents of an archive and verifies the cryptographic
  |            integrity of the digital signatures it contains and the files with
  |            which they are associated. This includes checking that the
  |            certificate for the issuer of the object-signing certificate is
  |            listed in the certificate database, that the CA's digital
  |            signature on the object-signing certificate is valid, that the
  |            relevant certificates have not expired, and so on.
  |    --verbosity value
  |            Sets the quantity of information Netscape Signing Tool generates
  |            in operation. A value of 0 (zero) is the default and gives full
  |            information. A value of -1 suppresses most messages, but not error
  |            messages.
  |    -w archive
  |            Displays the names of signers of any files in the archive.
  |    -x directory
  |            Excludes the specified directory from signing. Note that with
  |            Netscape Signing Tool version 1.1 and later this option can appear
  |            multiple times on one command line, making it possible to specify
  |            several particular directories to exclude.
  |    -z
  |            Tells signtool not to store the signing time in the digital
  |            signature. This option is useful if you want the expiration date
  |            of the signature checked against the current date and time rather
  |            than the time the files were signed.
  |    -Z jarfile
  |            Creates a JAR file with the specified name. You must specify this
  |            option if you want signtool to create the JAR file; it does not do
  |            so automatically. If you don't specify -Z, you must use an
  |            external ZIP tool to create the JAR file. The -Z option cannot be
  |            used at the same time as the -J option. If the -c# option is not
  |            used with the -Z option, the default compression value is 6.
  | The Command File Format
  |    Entries in a Netscape Signing Tool command file have this general format:
  |    keyword=value Everything before the = sign on a single line is a keyword,
  |    and everything from the = sign to the end of line is a value. The value
  |    may include = signs; only the first = sign on a line is interpreted. Blank
  |    lines are ignored, but white space on a line with keywords and values is
  |    assumed to be part of the keyword (if it comes before the equal sign) or
  |    part of the value (if it comes after the first equal sign). Keywords are
  |    case insensitive, values are generally case sensitive. Since the = sign
  |    and newline delimit the value, it should not be quoted.
  |    Subsection
  |    basename
  |            Same as -b option.
  |    compression
  |            Same as -c option.
  |    certdir
  |            Same as -d option.
  |    extension
  |            Same as -e option.
  |    generate
  |            Same as -G option.
  |    installscript
  |            Same as -i option.
  |    javascriptdir
  |            Same as -j option.
  |    htmldir
  |            Same as -J option.
  |    certname
  |            Nickname of certificate, as with -k and -l -k options.
  |    signdir
  |            The directory to be signed, as with -k option.
  |    list
  |            Same as -l option. Value is ignored, but = sign must be present.
  |    listall
  |            Same as -L option. Value is ignored, but = sign must be present.
  |    metafile
  |            Same as -m option.
  |    modules
  |            Same as -M option. Value is ignored, but = sign must be present.
  |    optimize
  |            Same as -o option. Value is ignored, but = sign must be present.
  |    password
  |            Same as -p option.
  |    keysize
  |            Same as -s option.
  |    token
  |            Same as -t option.
  |    verify
  |            Same as -v option.
  |    who
  |            Same as -w option.
  |    exclude
  |            Same as -x option.
  |    notime
  |            Same as -z option. value is ignored, but = sign must be present.
  |    jarfile
  |            Same as -Z option.
  |    outfile
  |            Name of a file to which output and error messages will be
  |            redirected. This option has no command-line equivalent.
  | Extended Examples
  |    The following example will do this and that
  |    Listing Available Signing Certificates
  |    You use the -L option to list the nicknames for all available certificates
  |    and check which ones are signing certificates.
  |  signtool -L
  |  using certificate directory: /u/jsmith/.netscape
  |  S Certificates
  |  - ------------
  |    BBN Certificate Services CA Root 1
  |    IBM World Registry CA
  |    VeriSign Class 1 CA - Individual Subscriber - VeriSign, Inc.
  |    GTE CyberTrust Root CA
  |    Uptime Group Plc. Class 4 CA
  |  \* Verisign Object Signing Cert
  |    Integrion CA
  |    GTE CyberTrust Secure Server CA
  |    AT&T Directory Services
  |  \* test object signing cert
  |    Uptime Group Plc. Class 1 CA
  |    VeriSign Class 1 Primary CA
  |  - ------------
  |  Certificates that can be used to sign objects have \*'s to their left.
  |    Two signing certificates are displayed: Verisign Object Signing Cert and
  |    test object signing cert.
  |    You use the -l option to get a list of signing certificates only,
  |    including the signing CA for each.
  |  signtool -l
  |  using certificate directory: /u/jsmith/.netscape
  |  Object signing certificates
  |  ---------------------------------------
  |  Verisign Object Signing Cert
  |      Issued by: VeriSign, Inc. - Verisign, Inc.
  |      Expires: Tue May 19, 1998
  |  test object signing cert
  |      Issued by: test object signing cert (Signtool 1.0 Testing
  |  Certificate (960187691))
  |      Expires: Sun May 17, 1998
  |  ---------------------------------------
  |    For a list including CAs, use the -L option.
  |    Signing a File
  |    1. Create an empty directory.
  |  mkdir signdir
  |    2. Put some file into it.
  |  echo boo > signdir/test.f
  |    3. Specify the name of your object-signing certificate and sign the
  |    directory.
  |  signtool -k MySignCert -Z testjar.jar signdir
  |  using key "MySignCert"
  |  using certificate directory: /u/jsmith/.netscape
  |  Generating signdir/META-INF/manifest.mf file..
  |  --> test.f
  |  adding signdir/test.f to testjar.jar
  |  Generating signtool.sf file..
  |  Enter Password or Pin for "Communicator Certificate DB":
  |  adding signdir/META-INF/manifest.mf to testjar.jar
  |  adding signdir/META-INF/signtool.sf to testjar.jar
  |  adding signdir/META-INF/signtool.rsa to testjar.jar
  |  tree "signdir" signed successfully
  |    4. Test the archive you just created.
  |  signtool -v testjar.jar
  |  using certificate directory: /u/jsmith/.netscape
  |  archive "testjar.jar" has passed crypto verification.
  |             status   path
  |       ------------   -------------------
  |           verified   test.f
  |    Using Netscape Signing Tool with a ZIP Utility
  |    To use Netscape Signing Tool with a ZIP utility, you must have the utility
  |    in your path environment variable. You should use the zip.exe utility
  |    rather than pkzip.exe, which cannot handle long filenames. You can use a
  |    ZIP utility instead of the -Z option to package a signed archive into a
  |    JAR file after you have signed it:
  |  cd signdir
  |    zip -r ../myjar.jar \*
  |    adding: META-INF/ (stored 0%)
  |    adding: META-INF/manifest.mf (deflated 15%)
  |    adding: META-INF/signtool.sf (deflated 28%)
  |    adding: META-INF/signtool.rsa (stored 0%)
  |    adding: text.txt (stored 0%)
  |    Generating the Keys and Certificate
  |    The signtool option -G generates a new public-private key pair and
  |    certificate. It takes the nickname of the new certificate as an argument.
  |    The newly generated keys and certificate are installed into the key and
  |    certificate databases in the directory specified by the -d option. With
  |    the NT version of Netscape Signing Tool, you must use the -d option with
  |    the -G option. With the Unix version of Netscape Signing Tool, omitting
  |    the -d option causes the tool to install the keys and certificate in the
  |    Communicator key and certificate databases. In all cases, the certificate
  |    is also output to a file named x509.cacert, which has the MIME-type
  |    application/x-x509-ca-cert.
  |    Certificates contain standard information about the entity they identify,
  |    such as the common name and organization name. Netscape Signing Tool
  |    prompts you for this information when you run the command with the -G
  |    option. However, all of the requested fields are optional for test
  |    certificates. If you do not enter a common name, the tool provides a
  |    default name. In the following example, the user input is in boldface:
  |  signtool -G MyTestCert
  |  using certificate directory: /u/someuser/.netscape
  |  Enter certificate information. All fields are optional. Acceptable
  |  characters are numbers, letters, spaces, and apostrophes.
  |  certificate common name: Test Object Signing Certificate
  |  organization: Netscape Communications Corp.
  |  organization unit: Server Products Division
  |  state or province: California
  |  country (must be exactly 2 characters): US
  |  username: someuser
  |  email address: someuser@netscape.com
  |  Enter Password or Pin for "Communicator Certificate DB": [Password will not echo]
  |  generated public/private key pair
  |  certificate request generated
  |  certificate has been signed
  |  certificate "MyTestCert" added to database
  |  Exported certificate to x509.raw and x509.cacert.
  |    The certificate information is read from standard input. Therefore, the
  |    information can be read from a file using the redirection operator (<) in
  |    some operating systems. To create a file for this purpose, enter each of
  |    the seven input fields, in order, on a separate line. Make sure there is a
  |    newline character at the end of the last line. Then run signtool with
  |    standard input redirected from your file as follows:
  |  signtool -G MyTestCert inputfile
  |    The prompts show up on the screen, but the responses will be automatically
  |    read from the file. The password will still be read from the console
  |    unless you use the -p option to give the password on the command line.
  |    Using the -M Option to List Smart Cards
  |    You can use the -M option to list the PKCS #11 modules, including smart
  |    cards, that are available to signtool:
  |  signtool -d "c:\netscape\users\jsmith" -M
  |  using certificate directory: c:\netscape\users\username
  |  Listing of PKCS11 modules
  |  -----------------------------------------------
  |          1. Netscape Internal PKCS #11 Module
  |                            (this module is internally loaded)
  |                            slots: 2 slots attached
  |                            status: loaded
  |            slot: Communicator Internal Cryptographic Services Version 4.0
  |           token: Communicator Generic Crypto Svcs
  |            slot: Communicator User Private Key and Certificate Services
  |           token: Communicator Certificate DB
  |          2. CryptOS
  |                            (this is an external module)
  |   DLL name: core32
  |           slots: 1 slots attached
  |          status: loaded
  |            slot: Litronic 210
  |           token:
  |          -----------------------------------------------
  |    Using Netscape Signing Tool and a Smart Card to Sign Files
  |    The signtool command normally takes an argument of the -k option to
  |    specify a signing certificate. To sign with a smart card, you supply only
  |    the fully qualified name of the certificate.
  |    To see fully qualified certificate names when you run Communicator, click
  |    the Security button in Navigator, then click Yours under Certificates in
  |    the left frame. Fully qualified names are of the format smart
  |    card:certificate, for example "MyCard:My Signing Cert". You use this name
  |    with the -k argument as follows:
  |  signtool -k "MyCard:My Signing Cert" directory
  |    Verifying FIPS Mode
  |    Use the -M option to verify that you are using the FIPS-140-1 module.
  |  signtool -d "c:\netscape\users\jsmith" -M
  |  using certificate directory: c:\netscape\users\jsmith
  |  Listing of PKCS11 modules
  |  -----------------------------------------------
  |    1. Netscape Internal PKCS #11 Module
  |            (this module is internally loaded)
  |            slots: 2 slots attached
  |            status: loaded
  |      slot: Communicator Internal Cryptographic Services Version 4.0
  |     token: Communicator Generic Crypto Svcs
  |      slot: Communicator User Private Key and Certificate Services
  |     token: Communicator Certificate DB
  |  -----------------------------------------------
  |    This Unix example shows that Netscape Signing Tool is using a FIPS-140-1
  |    module:
  |  signtool -d "c:\netscape\users\jsmith" -M
  |  using certificate directory: c:\netscape\users\jsmith
  |  Enter Password or Pin for "Communicator Certificate DB": [password will not echo]
  |  Listing of PKCS11 modules
  |  -----------------------------------------------
  |  1. Netscape Internal FIPS PKCS #11 Module
  |  (this module is internally loaded)
  |  slots: 1 slots attached
  |  status: loaded
  |  slot: Netscape Internal FIPS-140-1 Cryptographic Services
  |  token: Communicator Certificate DB
  |  -----------------------------------------------
  | See Also
  |    signver (1)
  |    The NSS wiki has information on the new database design and how to
  |    configure applications to use it.
  |      o https://wiki.mozilla.org/NSS_Shared_DB_Howto
  |      o https://wiki.mozilla.org/NSS_Shared_DB
  | Additional Resources
  |    For information about NSS and other tools related to NSS (like JSS), check
  |    out the NSS project wiki at
  |   
    [1]\ `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__.
    The NSS site relates
  |    directly to NSS code changes and releases.
  |    Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto
  |    IRC: Freenode at #dogtag-pki
  | Authors
  |    The NSS tools were written and maintained by developers with Netscape, Red
  |    Hat, and Sun.
  |    Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey
  |    <dlackey@redhat.com>.
  | Copyright
  |    (c) 2010, Red Hat, Inc. Licensed under the GNU Public License version 2.
  | References
  |    Visible links
  |    1.
    `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__