Skip to content

openSUSE/ca-certificates

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

146 Commits
.github/workflows
.github/workflows
 
 
.editorconfig
.editorconfig
 
 
COPYING
COPYING
 
 
Makefile
Makefile
 
 
README
README
 
 
Testsuite.md
Testsuite.md
 
 
ca-certificates-setup.service
ca-certificates-setup.service
 
 
ca-certificates.path
ca-certificates.path
 
 
ca-certificates.service
ca-certificates.service
 
 
ca-certificates.spec
ca-certificates.spec
 
 
certbundle.run
certbundle.run
 
 
conftest.py
conftest.py
 
 
etc_ssl.run
etc_ssl.run
 
 
java.run
java.run
 
 
openssl.run
openssl.run
 
 
poetry.lock
poetry.lock
 
 
pyproject.toml
pyproject.toml
 
 
test_update_ca_certificates.py
test_update_ca_certificates.py
 
 
update-ca-certificates
update-ca-certificates
 
 
update-ca-certificates.8
update-ca-certificates.8
 
 

Repository files navigation

ca-certificates
===============

Utilities for system wide CA certificate installation

update-ca-certificates is intended to keep the certificate stores of
various components in sync with the system CA certificates.

The canonical source of CA certificates is what p11-kit knows about.
By default p11-kit looks into /usr/share/pki/trust/ resp
/etc/pki/trust/ but there could be other plugins that serve as
source for certificates as well.

Supported Certificate Stores
============================

update-ca-certificate supports a number of legacy certificate stores
for applications that don't talk to p11-kit directly yet. It does so
by generating the certificate stores in /var/lib/ca-certificates and
having symlinks from the locations where applications expect those
files.

- /etc/ssl/certs: Hashed directory readable by openSSL. Only for
  legacy applications. Only contains CA certificates for server-auth
  purpose. Avoid using this in applications.
- /etc/ssl/ca-bundle.pem: Concatenated bundle of CA certificates
  with server-auth purpose. Avoid using this in applications.
- java-cacerts: Key store fore Java. Only filled with CA
  certificates with purpose server-auth.
- openssl: hashed directory with CA certificates of all purposes.
  Your system openSSL knows how to read that, don't hardcode the
  path! Call SSL_CTX_set_default_verify_paths() instead.

Differences to previous versions on openSUSE
============================================

- Packages are expected to install their CA certificates in
  /usr/share/pki/trust/anchors or /usr/share/pki/trust (no extra subdir) instead
  of /usr/share/ca-certificates/<vendor> now. The anchors subdirectory is for
  regular pem files, the directory one above for pem files in
  openssl's 'trusted' format.

- /etc/ca-certificates.conf is no longer supported. Just symlink the
  certificates you don't want to /etc/pki/trust/blacklist.

Differences to Debian
=====================

- /etc/ca-certificates.conf is not supported.
- Hook scripts don't receive the list of changed certificates on
  stdin. That allows scripts to have their own method to determine
  changes.
- The command line arguments -v and -f are passed to hook scripts.
- All stores are created via hook scripts.

About

Utilities for system wide CA certificate installation

Resources

Readme

License

GPL-2.0 license
Activity
Custom properties

Stars

25 stars

Watchers

20 watching

Forks

20 forks
Report repository

Releases

1 tags

Packages

No packages published

Contributors 13

Languages