On Tue, Feb 24, 2015 at 03:31:14PM -0500, Mark H Weaver wrote: > The single-file bundle is just a concatenation of all the individual PEM > data, starting with "-----BEGIN CERTIFICATE-----" and ending with > "-----END CERTIFICATE-----", including those delimiters. > The only caveat is that the individual PEM files are not required to > have a newline after the "-----END CERTIFICATE-----", but in the > single-file cert bundle, we must ensure that the newline is present.
I just did a "cat" of two .pem files from nss-certs, and the result looked good. There are comment lines (starting with #) between the "-----END CERTIFICATE-----" and the following "-----BEGIN CERTIFICATE-----", which I hope is okay. > I think it belongs in the profile generation code for the benefit of > users running Guix packages on top of another distro, where they might > not have root access. They can simply set GIT_SSL_CAINFO and > SSL_CERT_FILE to ~/.guix-profile/etc/ssl/ca-certificates.crt > What do you think? Yes, that sounds like the right approach: Create a concatenation of all the files in ~/.guix-profile/etc/ssl/certs . Andreas
