Date: Fri, 12 Feb 2021 00:42:20 -0800 (PST) From: "Dan Mahoney (Gushi)" <freebsd@gushi.org> To: questions@freebsd.org Cc: allanjude@freebsd.org Subject: splitting ca_root_nss into component pem files Message-ID: <8f7cdfd9-7c4f-2e5d-948c-34ae45f1c9d@prime.gushi.org>
next in thread | raw e-mail | index | archive | help
Allan (and all), I notice FreeBSD now comes with certctl which knows how to split and manage trusted SSL certs. FreeBSD 12.2 includes a /usr/share/ssl/certs directory now (no mention of that in the release notes?) and a tool called certctl. Certctl has (for some reason) been backported to 11.x, where there are no individual certs provided by default, so I'm confused as to why this is. ca_root_nss only provides a monolithic cert. Some apps require a directory of hashes and symlinks. This is common, especially when you want to trust your local CA as well as the netscape ones. Additionally, some tools (like sendmail) seem to require the symlinked approach. Is there a tool (installed with base, or from ports) that will do this splitting of ca_root_nss, to some standard directory? (certctl doesn't appear to). Should this not be a standard thing in the pkg-message for ca_root_nss? (This seems to be a tangly problem to google). Note I solved this myself a few years back: https://gushi.dreamwidth.org/1064679.html, but I'd like to have a "right" answer. But...this feels like something that should have a base tool AND be in the handbook, since the *removal* of a cert from ca_root_nss will cause users to still trust it -- a clean rebuild should be possible. -Dan -- --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC FB: fb.com/DanielMahoneyIV LI: linkedin.com/in/gushi Site: http://www.gushi.org ---------------------------
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8f7cdfd9-7c4f-2e5d-948c-34ae45f1c9d>