Greetings, ASSI! > Andrey Repin via Cygwin writes: >> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt is missing from my >> system. >> The `update-ca-trust extract` doesn't even touch it. >> >> What happened?
> Fedora dropped the command that creates the file and removed it from > distribution here: > https://src.fedoraproject.org/rpms/ca-certificates/c/7dc60cbc6b0b87462acf6c524bfbd85f1550bec4?branch=rawhide > You can manually create it like this if it's still needed (I would likel > to know what for): Not all programs can use hashdir. More so, in many places it was said the bundle is preferred over the hashdir. I.e. the PHP openssl module configuration says this: >> openssl.cafile string >> Location of Certificate Authority file on local filesystem which should be >> used with the verify_peer context option to authenticate the identity of >> the remote peer. >> >> openssl.capath string >> If cafile is not specified or if the certificate is not found there, the >> directory pointed to by capath is searched for a suitable certificate. >> capath must be a correctly hashed certificate directory. Which looks exactly like the bundle is preferred (though I fail to see, why? It'll incur the parsing overhead for certain, where you could pick specific cert from the hashdir almost in an instant). > /usr/bin/trust extract --format=openssl-bundle --filter=certificates > --overwrite --comment /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt Thanks, I'll try that. > …although it looks to me that all certs are available individually in > /etc/pki/tls/certs so the bundle would be redundant. Indeed, they do. -- With best regards, Andrey Repin Friday, February 28, 2025 10:00:37 Sorry for my terrible english... -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
