From owner-freebsd-questions@freebsd.org Fri Feb 12 08:42:26 2021 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6375E548900 for ; Fri, 12 Feb 2021 08:42:26 +0000 (UTC) (envelope-from danm@prime.gushi.org) Received: from mailman.nyi.freebsd.org (mailman.nyi.freebsd.org [IPv6:2610:1c1:1:606c::50:13]) by mx1.freebsd.org (Postfix) with ESMTP id 4DcRnt1Md9z4cDY for ; Fri, 12 Feb 2021 08:42:26 +0000 (UTC) (envelope-from danm@prime.gushi.org) Received: by mailman.nyi.freebsd.org (Postfix) id 2EE0B5483DE; Fri, 12 Feb 2021 08:42:26 +0000 (UTC) Delivered-To: questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 2EA5F5483DD for ; Fri, 12 Feb 2021 08:42:26 +0000 (UTC) (envelope-from danm@prime.gushi.org) Received: from prime.gushi.org (prime.gushi.org [IPv6:2620:137:6000:10::142]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "prime.gushi.org", Issuer "RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DcRns1lSnz4cWx; Fri, 12 Feb 2021 08:42:25 +0000 (UTC) (envelope-from danm@prime.gushi.org) Received: from prime.gushi.org (localhost [127.0.0.1]) by prime.gushi.org (8.16.1/8.16.1) with ESMTPS id 11C8gK1k033655 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 12 Feb 2021 00:42:21 -0800 (PST) (envelope-from danm@prime.gushi.org) DKIM-Filter: OpenDKIM Filter v2.10.3 prime.gushi.org 11C8gK1k033655 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gushi.org; s=prime2014; t=1613119342; bh=VXyZ3xmQIDbfTFnGOWcfw3EIumZe0aMeAaOQwbbqliM=; h=Date:From:To:cc:Subject; z=Date:=20Fri,=2012=20Feb=202021=2000:42:20=20-0800=20(PST)|From:=2 0"Dan=20Mahoney=20(Gushi)"=20|To:=20questions@f reebsd.org|cc:=20allanjude@freebsd.org|Subject:=20splitting=20ca_r oot_nss=20into=20component=20pem=20files; b=ZLPm01EQj3BARZKJlUc+tjryCxXgHyyo+7y4qIUkAK9BKmmw8b5THMf/NZD9CVCtl Kstdb8l3SUr1QuSPXzLeRrs5Gim1QdVba4ePBTAEcnsf1wuK2YKW1/PstTKLBhDsAH jwJwbEr54j4cpxMBY8qckdzZb1XaiBkwuuryZPZqCPYHvq+czr+RvbEYevJ+z0tIMN mw0ebd3Ie+KzSlgxQyVY9P5Q/PdveYUx7Q0ow2yx5qAYhTpIGmE3odixFqiiEYbMR8 9MCHiceRYI33yZXCWU7mB6aBVur984VGtE4u1kDfE2TafspclcLwh1Tjt4mAGy8Nho ONeF6kGdnepOQ== Received: (from danm@localhost) by prime.gushi.org (8.16.1/8.16.1/Submit) id 11C8gK6W033651; Fri, 12 Feb 2021 00:42:20 -0800 (PST) (envelope-from danm) Date: Fri, 12 Feb 2021 00:42:20 -0800 (PST) From: "Dan Mahoney (Gushi)" To: questions@freebsd.org cc: allanjude@freebsd.org Subject: splitting ca_root_nss into component pem files Message-ID: <8f7cdfd9-7c4f-2e5d-948c-34ae45f1c9d@prime.gushi.org> X-OpenPGP-Key-ID: 0x624BB249 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset=US-ASCII X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.2 (prime.gushi.org [0.0.0.0]); Fri, 12 Feb 2021 08:42:22 +0000 (UTC) X-Rspamd-Queue-Id: 4DcRns1lSnz4cWx X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gushi.org header.s=prime2014 header.b=ZLPm01EQ; dmarc=pass (policy=none) header.from=gushi.org; spf=pass (mx1.freebsd.org: domain of danm@prime.gushi.org designates 2620:137:6000:10::142 as permitted sender) smtp.mailfrom=danm@prime.gushi.org X-Spamd-Result: default: False [-6.40 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; RCVD_COUNT_TWO(0.00)[2]; R_DKIM_ALLOW(-0.20)[gushi.org:s=prime2014]; FROM_HAS_DN(0.00)[]; DWL_DNSWL_MED(-2.00)[gushi.org:dkim]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+a]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; RCVD_DKIM_ARC_DNSWL_MED(-0.50)[]; SPAMHAUS_ZRD(0.00)[2620:137:6000:10::142:from:127.0.2.255]; RCVD_IN_DNSWL_MED(-0.20)[2620:137:6000:10::142:from]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[gushi.org,none]; DKIM_TRACE(0.00)[gushi.org:+]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; FORGED_SENDER(0.30)[freebsd@gushi.org,danm@prime.gushi.org]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[2620:137:6000:10::142:from]; ASN(0.00)[asn:393507, ipnet:2620:137:6000::/44, country:US]; RCVD_TLS_ALL(0.00)[]; FROM_NEQ_ENVFROM(0.00)[freebsd@gushi.org,danm@prime.gushi.org]; MAILMAN_DEST(0.00)[questions] X-Mailman-Approved-At: Fri, 12 Feb 2021 19:23:51 +0000 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Feb 2021 08:42:26 -0000 Allan (and all), I notice FreeBSD now comes with certctl which knows how to split and manage trusted SSL certs. FreeBSD 12.2 includes a /usr/share/ssl/certs directory now (no mention of that in the release notes?) and a tool called certctl. Certctl has (for some reason) been backported to 11.x, where there are no individual certs provided by default, so I'm confused as to why this is. ca_root_nss only provides a monolithic cert. Some apps require a directory of hashes and symlinks. This is common, especially when you want to trust your local CA as well as the netscape ones. Additionally, some tools (like sendmail) seem to require the symlinked approach. Is there a tool (installed with base, or from ports) that will do this splitting of ca_root_nss, to some standard directory? (certctl doesn't appear to). Should this not be a standard thing in the pkg-message for ca_root_nss? (This seems to be a tangly problem to google). Note I solved this myself a few years back: https://gushi.dreamwidth.org/1064679.html, but I'd like to have a "right" answer. But...this feels like something that should have a base tool AND be in the handbook, since the *removal* of a cert from ca_root_nss will cause users to still trust it -- a clean rebuild should be possible. -Dan -- --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC FB: fb.com/DanielMahoneyIV LI: linkedin.com/in/gushi Site: http://www.gushi.org ---------------------------