This document describes the data formats used by NSS 3.x for installing certificates. This document is currently being revised and has not yet been reviewed for accuracy.

Data Formats

NSS can accept certificates in several formats. In all cases the certificates are X509 version 1, 2, or 3.

Binary Formats

NSS's certificate loader will recognize several binary formats. They are:

   CertificateSequence ::= SEQUENCE OF Certificate

See the section below on Certificate Chains for more information about how multiple certificates are handled.

Text Formats

Any of the above binary formats can also be imported in text form. The text form begins with the following line:

   -----BEGIN CERTIFICATE-----

Following this line should be the certificate data, which can be in any of the binary formats described above. This data must be base64 encoded as described by RFC 1113. Following the data should be the following line:

   -----END CERTIFICATE-----

In a text format download, NSS ignores any text before the first BEGIN CERTIFICATE line, and ignores any text after the first END CERTIFICATE line. Between those two lines, there must be exactly ONE item of any of the supported binary formats described above, and that one item must be base64 encoded. Regardless of which of the supported binary formats is used, the BEGIN and END lines must say CERTIFICATE, and not any other word (such as KEY). The BEGIN and END lines must begin and end with 5 dashes, with no extra leading or trailing white space (excluding the End Of Line characters).

Importing Certificate Chains

Several of the formats described above can contain several certificates. When NSS's certificate decoder encounters one of these collections of multiple certificates they are handled in the following way:

Importing Certificates into Mozilla browsers

Mozilla browsers import certificates found in HTTP protocol responses. There are several mime content types that are used to indicate to the browser what type of certificate is being imported. These mime types are:

Note: the browser checks that the size of the object being downloaded matches the size of the encoded certificates. Therefore it is important to ensure that no extra characters, such as NULLs or LineFeeds are added at the end of the object.

Importing Certificates into NSS-based servers

Consult your server's administration guide for the most accurate information. For some NSS-base servers, the following information is correct.

Server certificates are imported via the server admin interface. Certificates are pasted into a text input field in an HTML form, and then the form is submitted to the admin server. Since the certificates are pasted into text fields, only the text formats described above are supported for servers. The type of certificate being imported (e.g. server or CA or cert chain) is specified by the server administrator by selections made on the admin pages. If a certificate chain is being imported then the first certificate in the chain must be the server or CA certificate, and any subsequent certificates will be added as untrusted CA certificates to the local database.

Object Identifiers

The base of all Netscape object ids is:

   netscape OBJECT IDENTIFIER ::= { 2 16 840 1 113730 }

The hexadecimal byte value of this OID when DER encoded is:

   0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42

The following OIDs are mentioned in this document:

   netscape-data-type     OBJECT IDENTIFIER :: = { netscape 2 }
   netscape-cert-sequence OBJECT IDENTIFIER :: = { netscape-data-type 5 }