During the processing of certificate operations, the NSS server
validates that an NSS client is authorized to access the certificates
required to complete the operation. The NSS server consults SERVAUTH
profiles to perform this validation. The profile names consulted by
the NSS server are dynamically constructed by the NSS server using
the following information:
- The system name on which the NSS server is running
- The label of the certificate this is used during a certificate
operation
- The certificate operation that is being performed:
- When processing a request to create a signature, the format of
the profile that is consulted is EZB.NSSCERT.sysname.mappedlabelname.HOST.
- When processing a request to obtain a list of CA certificates,
the format of the profile consulted is EZB.NSSCERT.sysname.mappedlabelname.CERTAUTH.
- When processing a request to retrieve a private key that is not
protected by Integrated Cryptographic Service Facility (ICSF) or to
use an ICSF-protected private key, the format of the profile consulted
is EZB.NSSCERT.sysname.mappedlabelname.PRIVKEY.
The NSS server creates a mapped label name using the following
algorithm:
- All lowercase alphabetic characters in a certificate's label are
changed to uppercase. This is necessary because the class descriptor
table for the SERVAUTH profile permits only uppercase profile names.
- The asterisk (*), percent sign (%), and ampersand (&) are
replaced by a dollar sign ($). This is necessary because these characters
have special meaning when generic profile processing is active.
- All embedded blanks are also replaced by a dollar sign ($). This
is necessary because blanks are not allowed in SERVAUTH profile names.
Rules: - The administrator of the NSS server must define profiles using
the mapped label names generated by this algorithm. When the certificate's
label name contains lowercase characters, the administrator must change
each lowercase character to uppercase. When the certificate's label
name contains the characters *, %, &, or a blank character, the
administrator must replace each occurrence with a dollar sign ($)
character.
- When a certificate label contains the period character (.), ensure
that the corresponding SERVAUTH profile contains matching qualifiers.
For example, if you request a certificate with the label CERTIFICATE.123.ABC
for a private key operation, the NSS server checks a SERVAUTH profile
named EZB.NSSCERT.sysname.CERTIFICATE.123.ABC.PRIVKEY;
defining a SERVAUTH profile named EZB.NSSCERT.sysname.CERTIFICATE.*.PRIVKEY
does not permit access to the private key of the certificate.
Using this algorithm, it is possible that multiple certificates
can result in the same mapped name. This is shown in Table 1.
Table 1. Mapped label names| Label |
Mapped label |
|---|
| CERTIFICATE_123 |
CERTIFICATE_123 |
| Certificate_123 |
CERTIFICATE_123 |
| CERTIFICATE 123 |
CERTIFICATE$123 |
| CERTIFICATE%123 |
CERTIFICATE$123 |
| CERTIFICATE*123 |
CERTIFICATE$123 |
| CERTIFICATE&123 |
CERTIFICATE$123 |
| CERTIFICATE$123 |
CERTIFICATE$123 |
Tip: When creating certificates for the NSS server's key
ring, avoid using lowercase alphabetic characters, blanks, and the
characters *, %, and & in the certificate's label.