Using the Built-in Root Certificate Module

The dynamically loadable root certificate module included with Proxy Server contains the root certificates for many CAs, including VeriSign. The root certificate module enables you to upgrade your root certificates to newer versions in a much easier way. In the past, you were required to delete the old root certificates one at a time and then install the new ones one at a time. To install well-known CA certificates, you can now simply update the root certificate module file to a newer version as it becomes available through future versions of the Proxy Server.

Because the root certificate is implemented as a PKCS #11 cryptographic module, you can never delete the root certificates it contains. The option to delete will not be offered when managing these certificates. To remove the root certificates from your server instances, disable the root certificate module by deleting the following entry in the server’s aliasdirectory:

• libnssckbi.so (on most UNIX platforms)

• nssckbi.dll (on Windows)

If you want to restore the root certificate module, you can copy the extension from server-root/bin/proxy/lib (UNIX) or server-root\\bin\\proxy\\bin (Windows) into the alias subdirectory.

You can modify the trust information of the root certificates. The trust information is written to the certificate database for the server instance being edited, not back to the root certificate module itself.