From 34e57e0a843e04fd64634ae603370630051d09e2 Mon Sep 17 00:00:00 2001
From: phoeagon <phoeagon@gmail.com>
Date: Fri, 27 Feb 2015 10:33:03 +0800
Subject: [PATCH] add README

---
 Linux/README.md | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 Linux/README.md

diff --git a/Linux/README.md b/Linux/README.md
new file mode 100644
index 0000000..165f59e
--- /dev/null
+++ b/Linux/README.md
@@ -0,0 +1,39 @@
+Revoke-China-Certs on Linux
+==========================================
+
+## Intro
+
+This tool revokes certain CA certificates for NSS-based applications on Linux,
+(most notably, Firefox & Chrome).
+
+On Linux there are multiple libraries for SSL/TLS and each may have its own
+certificate store. The `/etc/ca-certificate.conf` configures the trusted
+Root CAs for OpenSSL (which `wget` uses by default). Another widely used
+library is NSS by Mozilla, which supports blacklisting a specific intermediate
+CA without fiddling with the Root CA.
+
+**This tool is experimental. DO MAKE BACKUPS before you do anything!**
+
+## Usage
+
+First you need to have packages installed to provide `certutil`. On Ubuntu it would be:
+
+        sudo apt-get install libnss3-tools
+
+Then, use the `revoke-china-certs.sh` to do the revocation. For Chrome it would be:
+
+        ./revoke-china-certs.sh extended $HOME/.pki/nssdb
+
+to revoke trust of CAs within the *extended* set. Change `extended` to `all` or `base`
+or `restore` to revoke other sets of certs.
+
+Since Firefox maintains different certificate store for different browser profile (rather
+than per Linux user for Chrome), you need to do this for every profile under `~/.mozilla/firefox`.
+
+        for profile in `ls ~/.mozilla/firefox/*.default`;do
+            ./revoke-china-certs.sh extended $HOME/.mozilla/firefox/$profile
+        done
+
+## Notes
+
+Deselecting a CA by `dpkg-reconfigure ca-certificates` does NOT affect any NSS-based applications.
-- 
GitLab