NAME

mozroots - Download and import trusted root certificates from Mozilla's LXR into Mono's certificate store

SYNOPSIS

mozroots [--import [--machine] [--sync | --ask | --ask-add | --ask-remove]]

DESCRIPTION

This program downloads the trusted root certificates from the Mozilla LXR web site into the Mono certificate store.

Mono by default does not ship with any default certificates and allows the user to pick its trusted certificates. The mozroots command will bring the Mozilla certificates into your local machine.

OPTIONS

--import

Import the certificates into the trust store.

--sync

Synchronize (add/remove) the trust store with the certificates. Synchronize is useful for new Mono installations (no roots) and for automated updates (no user confirmation for addition or removal).

--ask

Always confirm before adding or removing trusted certificates. Note: The initial import will likely add about 100 new trusted root certificates into your store. You'll have to answer yes to every one of them if this option is specified.

--ask-add

Always confirm before adding a new trusted certificate. Note: The initial import will likely add about 100 new trusted root certificates into your store. You'll have to answer yes to every one of them if this option is specified.

--ask-remove

Always confirm before removing an existing trusted certificate.

ADVANCED OPTIONS

--url url

Specify an alternative URL for downloading the trusted certificates (LXR source format). This should only be useful for testing or if the Mozilla's LXR web site address is changed. It can also be used to cache a local copy of the LXR file into your local intranet.

--file name

Do not download from LXR but use the specified file. This is useful if many computers have to download the same file from the Internet. This way you can keep a local copy on a file server (and minimize network traffic).

--pkcs7 name

Export the certificates into a PKCS#7 file. This is useful for debugging purpose or for re-importing the same list into other software.

--machine

Import the certificate in the machine trust store. The default is to import all trusted root certificates into the current user store.

--quiet

Limit console output to errors and confirmations messages. This is useful when scripting.

EXAMPLES

After the initial Mono installation you'll have no trusted roots certificates pre-installed. Neither will you have some root test certificates installed (your own or the ones provided by using setreg ). In this case the simplest thing to do, if you want to trust all those certificates, is to import and synchronize.

	$ mozroots --import --sync
	Mozilla Roots Importer - version 1.1.9.0
	Download and import trusted root certificates from Mozilla's LXR.
	Copyright 2002, 2003 Motus Technologies. Copyright 2004-2005 Novell. BSD licensed.


 
	Downloading from 'http://lxr.mozilla.org/seamonkey/source/security/nss/lib/ckfw/builtins/certdata.txt'...
	Importing certificates into user store...
	93 new root certificates were added to your trust store.
	Import process completed.

If you created some test certificates (e.g. for using SSL/TLS with XSP) and/or if your enterprise requires some additional root certificates (e.g. intranet) then you may want to skip the removal part of the process. You can do this by asking for a removal confirmation (--ask-remove option) and answer no when prompted.

	$ mozroots --import --ask-remove
	Mozilla Roots Importer - version 1.1.9.0
	Download and import trusted root certificates from Mozilla's LXR.
	Copyright 2002, 2003 Motus Technologies. Copyright 2004-2005 Novell. BSD licensed.


 
	Downloading from 'http://lxr.mozilla.org/seamonkey/source/security/nss/lib/ckfw/builtins/certdata.txt'...
	Importing certificates into user store...
	93 new root certificates were added to your trust store.
	2 previously trusted certificates were not part of the update.
	Issuer: CN=Mono Test Root Agency
	Serial number: 69-B0-E1-4F-88-6E-C7-85-48-0E-74-91-38-76-F4-28
	Valid from 9/1/2003 11:55:48 AM to 12/31/2039 1:59:59 PM
	Thumbprint SHA-1: EF-26-C2-28-11-3F-79-ED-9D-EC-3F-3B-D5-7A-26-F2-7C-9F-FA-63
	Thumbprint MD5:   AE-19-3E-64-36-21-F2-A4-8B-69-38-CA-64-4B-2E-62
	Are you sure you want to remove this certificate ? no

You can still use the synchronize option (--sync) if you have activated
the default test roots certificate on your system. They will be removed
at the end of the synchronization process but you can quickly add them 
back with the
setreg
tool.


	$ setreg 1 true

Another option to ease updates is to synchronize your machine trust store (using the --machine option) and keep your customized (test) certificates in your personal store (or vice versa). Note that every user on this computer will be trusting all the newly imported certificates.

	$ mozroots --import --machine --sync
	Mozilla Roots Importer - version 1.1.9.0
	Download and import trusted root certificates from Mozilla's LXR.
	Copyright 2002, 2003 Motus Technologies. Copyright 2004-2005 Novell. BSD licensed.


 
	Downloading from 'http://lxr.mozilla.org/seamonkey/source/security/nss/lib/ckfw/builtins/certdata.txt'...
	Importing certificates into user store...
	94 new root certificates were added to your trust store.
	Import process completed.

Once the initial import is complete the number of changes (additions or removals) is generally very low. In this case it makes sense to know about any changes (i.e. ask for confirmation). No confirmation will be required if no changes are made to your trust store.

	$ mozroots --import --ask
	Mozilla Roots Importer - version 1.1.9.0
	Download and import trusted root certificates from Mozilla's LXR.
	Copyright 2002, 2003 Motus Technologies. Copyright 2004-2005 Novell. BSD licensed.


 
	Downloading from 'http://lxr.mozilla.org/seamonkey/source/security/nss/lib/ckfw/builtins/certdata.txt'...
	Importing certificates into user store...
	Import process completed.

FILES

~/.config/.mono/certs, /usr/share/.mono/certs

Contains Mono certificate stores for users / machine. See the certmgr(1) manual page for more information on managing certificate stores.

COPYRIGHT

Copyright (C) 2005 Novell.

MAILING LISTS

Mailing lists are listed at the http://www.mono-project.com/community/help/mailing-lists/

WEB SITE

http://www.mono-project.com

SEE ALSO

mono(1),certmgr(1).setreg(1)