-
Notifications
You must be signed in to change notification settings - Fork 21
/
README
54 lines (43 loc) · 2.2 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
ca-certificates
===============
Utilities for system wide CA certificate installation
update-ca-certificates is intended to keep the certificate stores of
various components in sync with the system CA certificates.
The canonical source of CA certificates is what p11-kit knows about.
By default p11-kit looks into /usr/share/pki/trust/ resp
/etc/pki/trust/ but there could be other plugins that serve as
source for certificates as well.
Supported Certificate Stores
============================
update-ca-certificate supports a number of legacy certificate stores
for applications that don't talk to p11-kit directly yet. It does so
by generating the certificate stores in /var/lib/ca-certificates and
having symlinks from the locations where applications expect those
files.
- /etc/ssl/certs: Hashed directory readable by openSSL. Only for
legacy applications. Only contains CA certificates for server-auth
purpose. Avoid using this in applications.
- /etc/ssl/ca-bundle.pem: Concatenated bundle of CA certificates
with server-auth purpose. Avoid using this in applications.
- java-cacerts: Key store fore Java. Only filled with CA
certificates with purpose server-auth.
- openssl: hashed directory with CA certificates of all purposes.
Your system openSSL knows how to read that, don't hardcode the
path! Call SSL_CTX_set_default_verify_paths() instead.
Differences to previous versions on openSUSE
============================================
- Packages are expected to install their CA certificates in
/usr/share/pki/trust/anchors or /usr/share/pki/trust (no extra subdir) instead
of /usr/share/ca-certificates/<vendor> now. The anchors subdirectory is for
regular pem files, the directory one above for pem files in
openssl's 'trusted' format.
- /etc/ca-certificates.conf is no longer supported. Just symlink the
certificates you don't want to /etc/pki/trust/blacklist.
Differences to Debian
=====================
- /etc/ca-certificates.conf is not supported.
- Hook scripts don't receive the list of changed certificates on
stdin. That allows scripts to have their own method to determine
changes.
- The command line arguments -v and -f are passed to hook scripts.
- All stores are created via hook scripts.