GitHub - abodlaim/ca-certificates: Utilities for system wide CA certificate installation

abodlaim / ca-certificates Public

forked from openSUSE/ca-certificates

Notifications You must be signed in to change notification settings
Fork 0
Star 1

Utilities for system wide CA certificate installation

GPL-2.0 license

1 star 21 forks Branches Tags Activity

Star

Notifications

Branches Tags

Name		Name	Last commit message	Last commit date
Latest commit History 46 Commits
obs		obs
COPYING		COPYING
Makefile		Makefile
README		README
certbundle.run		certbundle.run
etc_ssl.run		etc_ssl.run
java.run		java.run
openssl.run		openssl.run
update-ca-certificates		update-ca-certificates
update-ca-certificates.8		update-ca-certificates.8

Repository files navigation

ca-certificates
===============

Utilities for system wide CA certificate installation

update-ca-certificates is intended to keep the certificate stores of
various components in sync with the system CA certificates.

The canonical source of CA certificates is what p11-kit knows about.
By default p11-kit looks into /usr/share/pki/trust/ resp
/etc/pki/trust/ but there could be other plugins that serve as
source for certificates as well.

Supported Certificate Stores
============================

update-ca-certificate supports a number of legacy certificate stores
for applications that don't talk to p11-kit directly yet. It does so
by generating the certificate stores in /var/lib/ca-certificates and
having symlinks from the locations where applications expect those
files.

- /etc/ssl/certs: Hashed directory readable by openSSL. Only for
  legacy applications. Only contains CA certificates for server-auth
  purpose. Avoid using this in applications.
- /etc/ssl/ca-bundle.pem: Concatenated bundle of CA certificates
  with server-auth purpose. Avoid using this in applications.
- java-cacerts: Key store fore Java. Only filled with CA
  certificates with purpose server-auth.
- openssl: hashed directory with CA certificates of all purposes.
  Your system openSSL knows how to read that, don't hardcode the
  path! Call SSL_CTX_set_default_verify_paths() instead.

Differences to previous versions on openSUSE
============================================

- Packages are expected to install their CA certificates in
  /usr/share/pki/trust/anchors or /usr/share/pki/trust (no extra subdir) instead
  of /usr/share/ca-certificates/<vendor> now. The anchors subdirectory is for
  regular pem files, the directory one above for pem files in
  openssl's 'trusted' format.

- /etc/ca-certificates.conf is no longer supported. Just symlink the
  certificates you don't want to /etc/pki/trust/blacklist.

Differences to Debian
=====================

- /etc/ca-certificates.conf is not supported.
- Hook scripts don't receive the list of changed certificates on
  stdin. That allows scripts to have their own method to determine
  changes.
- The command line arguments -v and -f are passed to hook scripts.
- All stores are created via hook scripts.