Using the Built-in Root Certificate Module

The dynamically loadable root certificate module included with Proxy Server contains the root certificates for many CAs, including VeriSign. The root certificate module allows you to upgrade your root certificates to newer versions in a much easier way. In the past you were required to delete the old root certificates one at a time, and then install the new ones, one at a time. To install well-known CA certificates, you can now simply update the root certificate module file to a newer version as it becomes available through future versions of the Proxy Server.

Because the root certificate is implemented as a PKCS #11 cryptographic module, you can never delete the root certificates it contains, and the option to delete will not be offered when managing these certificates. To remove the root certificates from your server instances, you can disable the root certificate module by deleting the following in the server’s alias file:

• libnssckbi.so (on most UNIX platforms)

• nssckbi.dll (on Windows)

If later you want to restore the root certificate module, you can copy the extension from server_root/bin/proxy/lib (UNIX) or server_root\\bin\\proxy\\bin (Windows) back into the alias subdirectory.

You can modify the trust information of the root certificates. The trust information is written to the certificate database for the server instance being edited, not back to the root certificate module itself.