https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284749
Bug ID: 284749
Summary: certctl: add support for generating cert.pem CAfiles
Product: Base System
Version: Unspecified
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: bin
Assignee: b...@freebsd.org
Reporter: ports.maintai...@evilphi.com
Created attachment 257429
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=257429&action=edit
Adds optional CAfile generation to certctl
In an effort to obviate/fix ca_root_nss, I modified certctl to add the ability
to generate and maintain the cert.pem files that the port would otherwise
install. This provides the same set of root certificates, but in a way that
still allows for the local certificates installation and freebsd-update-based
distribution that makes certctl so useful.
The basic design is this:
- certctl-makebundles generates /etc/ssl/cert.pem, /usr/local/etc/ssl/cert.pem,
and /usr/local/openssl/cert.pem by concatenating the certificates hashlinked in
/etc/ssl/certs
- certctl-rehash does the normal rehash, then looks for those cert.pem files
and regenerates them if they already exist
- certctl-deletebundles merely wraps rm, but provides usage uniformity so the
ca_root_nss can run a single postunexec command
If makebundles is never run, certctl behaviour is unchanged. The CApath in
/etc/ssl/certs always generated normally.
The patch is against the version in -CURRENT, but I'm presently using it in
production on 13.4.
--
You are receiving this mail because:
You are the assignee for the bug.
