== Custom Building NSS Lib for Mozilla Products ==

Mozilla in their great wisdom doesn't build their utility (addbuiltin) for adding extra root certificates when they build their main binaries (firefox/thunderbird) so you will need to do this prior to rebuilding libnss...

Step 1, getting the libnss source code:

{{{
wget ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_10_RTM/src/nss-3.10.tar.gz
wget ftp://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v4.6/src/nspr-4.6.tar.gz
}}}

Next extract both tar balls:

{{{
cd /usr/src
tar xzvf nss-3.10.tar.gz
tar xzvf nspr-4.6.tar.gz
}}}

You'll also need to more the nspr source tree into nss directory:

{{{
mv nspr-4.6/mozilla/nsprpub nss-3.10/mozilla/
}}}

Finally to build things you will need to do run make commands:

{{{
cd nss-3.10/mozilla/security/nss
make nss_build_all
cd cmd/addbuiltin
make
}}}

To run addbuiltin without installing mozilla libs you will need to do the following:

{{{
echo /usr/src/nss-3.10/mozilla/dist/Linux2.6_x86_glibc_PTH_DBG.OBJ/lib >> /etc/ld.so.conf
ldconfig
cp -a Linux2.6_x86_glibc_PTH_DBG.OBJ/addbuiltin /usr/bin
}}}

[[http://www.CAcert.org/index.php?id=16|Download]] a copy of the CAcert root certificate in DER format only. Then run the addbuiltin program that comes with NSS code:

{{{
addbuiltin -n "CAcert Inc." -t "CT,C,C" < CAcert.der >> certdata.txt
}}}

This will append the our root certificate to:

{{{
nss-3.9.2/mozilla/security/nss/lib/ckfw/builtins/certdata.txt
}}}

Then you need to run:
(make sure you are in the mozilla/security/nss/lib/ckfw/builtins directory)
{{{
make generate
}}}

Then build NSS. The end result is in a new libnssckbi library, which depending on your architecture will end up in a file like:

{{{
nss-3.9.2/mozilla/security/nss/lib/ckfw/builtins/Darwin7.8.0_OPT.OBJ/libnssckbi.dylib
}}}

= Debian/Ubuntu Specific Notes =

You need to grab a few packages on a fresh install:

{{{
apt-get -y install build-essential zip
}}}