Has anyone figured out a way to extract the root CA certs from Mozilla
into individually PEM-encoded certs?
This seems a reasonably secure way to get a comprehensive list of root
CA certs, so that I can load them into sendmail (and actually *verify*
the certificates of sites which support STARTTLS).
I've located the certs in the mozilla distribution; they're in:
mozilla/security/nss/lib/ckfw/builtins/certdata.txt
But the certdata.txt file is in some type of custom format.
There's a "certutil" program in the Mozilla distribution:
mozilla/security/nss/cmd/certutil
But it isn't built by default, and I can't figure out how to build it.
(Running "make" in the directory detonates magnificently.)
Alternatively, can anyone recommend a trustworthy source of all of the
common root CA certs, in PEM encoding?
--
James Ralston, Information Technology
Software Engineering Institute
Carnegie Mellon University, Pittsburgh, PA, USA
