Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 12 Feb 2021 14:35:20 -0800 (PST)
From:      "Dan Mahoney (Gushi)" <>
To:        Kyle Evans <>
Cc:        "Dan Mahoney (Gushi)" <>,, Allan Jude <>
Subject:   Re: splitting ca_root_nss into component pem files
Message-ID:  <>
In-Reply-To: <>
References:  <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Fri, 12 Feb 2021, Kyle Evans wrote:

> On Fri, Feb 12, 2021 at 1:23 PM Dan Mahoney (Gushi) <> wrote:
>> Allan (and all),
>> I notice FreeBSD now comes with certctl which knows how to split and
>> manage trusted SSL certs.  FreeBSD 12.2 includes a /usr/share/ssl/certs
>> directory now (no mention of that in the release notes?) and a tool called
>> certctl.
>> Certctl has (for some reason) been backported to 11.x, where there are no
>> individual certs provided by default, so I'm confused as to why this is.
> I fully intended to ship 11.4 with them, but pulled them at the last
> minute due to some issues with certctl.
>> ca_root_nss only provides a monolithic cert.
>> Some apps require a directory of hashes and symlinks.  This is common,
>> especially when you want to trust your local CA as well as the netscape
>> ones.  Additionally, some tools (like sendmail) seem to require the
>> symlinked approach.
>> Is there a tool (installed with base, or from ports) that will do this
>> splitting of ca_root_nss, to some standard directory?  (certctl doesn't
>> appear to).
> I have some local WIP that's going to split ca_root_nss out like the
> base bundle is, so that it's compatible with certctl and friends. My
> vision is that ca_root_nss will provide more expedient updates of the
> bundle to folks that need it on a better timeline than EN/SA can
> deliver.
>> Should this not be a standard thing in the pkg-message for ca_root_nss?
>> (This seems to be a tangly problem to google).
>> Note I solved this myself a few years back:
>>, but I'd like to have a "right"
>> answer.
>> But...this feels like something that should have a base tool AND be in the
>> handbook, since the *removal* of a cert from ca_root_nss will cause users
>> to still trust it -- a clean rebuild should be possible.
> Right, that's the problem I'm hoping to solve by splitting ca_root_nss up.

Okay.  From an architecture POV does that mean that effectively the port's 
makefile will fetch the main file and do the splitting, and then that each 
individual file will be added (with names similar to what are in 12.2) as 
part of the port's plist (which means you could see the provenance of them 
with pkg which?)

Because that would be sort of amazing.

The only question comes when you have a cert with the same hash installed 
by the base system *and* ca_root_nss.  (Or when freebsd-update pulls down 
a blacklist entry for a cert that's in base but still remains in 

Thanks for this work.  I recognize that there's this weird fine line where 
the OS vendor doesn't want to say "you should trust these" but at the same 
time, should say "but you want ssl to work at all, right?".



--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC

Want to link to this message? Use this URL: <>