openSUSE/ca-certificates
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Latest commit
Ensure --root option propagates prefix properly to other scripts
3efbea9
Git stats
Files
Permalink
Failed to load latest commit information.
ca-certificates =============== Utilities for system wide CA certificate installation update-ca-certificates is intended to keep the certificate stores of various components in sync with the system CA certificates. The canonical source of CA certificates is what p11-kit knows about. By default p11-kit looks into /usr/share/pki/trust/ resp /etc/pki/trust/ but there could be other plugins that serve as source for certificates as well. Supported Certificate Stores ============================ update-ca-certificate supports a number of legacy certificate stores for applications that don't talk to p11-kit directly yet. It does so by generating the certificate stores in /var/lib/ca-certificates and having symlinks from the locations where applications expect those files. - /etc/ssl/certs: Hashed directory readable by openSSL. Only for legacy applications. Only contains CA certificates for server-auth purpose. Avoid using this in applications. - /etc/ssl/ca-bundle.pem: Concatenated bundle of CA certificates with server-auth purpose. Avoid using this in applications. - java-cacerts: Key store fore Java. Only filled with CA certificates with purpose server-auth. - openssl: hashed directory with CA certificates of all purposes. Your system openSSL knows how to read that, don't hardcode the path! Call SSL_CTX_set_default_verify_paths() instead. Differences to previous versions on openSUSE ============================================ - Packages are expected to install their CA certificates in /usr/share/pki/trust/anchors or /usr/share/pki/trust (no extra subdir) instead of /usr/share/ca-certificates/<vendor> now. The anchors subdirectory is for regular pem files, the directory one above for pem files in openssl's 'trusted' format. - /etc/ca-certificates.conf is no longer supported. Just symlink the certificates you don't want to /etc/pki/trust/blacklist. Differences to Debian ===================== - /etc/ca-certificates.conf is not supported. - Hook scripts don't receive the list of changed certificates on stdin. That allows scripts to have their own method to determine changes. - The command line arguments -v and -f are passed to hook scripts. - All stores are created via hook scripts.