> On 25 May 2022, at 19:22, SCOTT FIELDS <scott.fie...@kyndryl.com> wrote: > > If you’re referring to files in /etc/pki, that’s not a management API, like > CAPI or CNG provides in Windows (and a like API in OSX).
There are tools that you run that manage the files. Sorry I do not have the details in front of me. The tools are the API at least for trust store from what I recall when I set it up. > > There’s a keychain solution in Gnome (GNOME/Keyring) but not widely adopted > that I’ve seen. I use KDE and the kwallet is used in most apps I use. If there is an app in gnome that is not using the keyring then that a problem with the app surely, not the API? > > This just seems a good match to have available within systemd I do not speak for systemd, just curious about why you think this is needed. Barry > > From: Barry Scott <ba...@barrys-emacs.org <mailto:ba...@barrys-emacs.org>> > Sent: Wednesday, May 25, 2022 1:16 PM > To: SCOTT FIELDS <scott.fie...@kyndryl.com <mailto:scott.fie...@kyndryl.com>> > Cc: systemd-devel@lists.freedesktop.org > <mailto:systemd-devel@lists.freedesktop.org> > Subject: [EXTERNAL] Re: [systemd-devel] certificate and trust store feature > for systemd > > On 25 May 2022, at 14:06, SCOTT FIELDS <scott.fie...@kyndryl.com > <mailto:scott.fie...@kyndryl.com>> wrote: I apologize for the very general > inquiry. Are there any plans to have system natively support its own trust > store for items like CAs, x509 certs, passwords & > > > > On 25 May 2022, at 14:06, SCOTT FIELDS <scott.fie...@kyndryl.com > <mailto:scott.fie...@kyndryl.com>> wrote: > > I apologize for the very general inquiry. > > Are there any plans to have system natively support its own trust store for > items like CAs, x509 certs, passwords & truststores akin to the keychain in > Windows and OS X? > > But these are solved problems on modern Linux systems aren't they? > > At least with RHEL and Fedora they have trust store and keychains. > > > > I still find the management of PKIs in /etc/pki to be problematic. > > For my home network I have my own DNS domain and CA setup. It was easy to add > the CA to > Fedora's trust store. > > > > Having this available as a core service within systemd using like APIs either > in (mostly deprecated) CAPI or the new CNG > > Barry > > > > > Scott Fields > IBM/Kyndryl > SRE – BNSF > 817-593-5038 (BNSF) > scott.fie...@kyndryl.com <mailto:scott.fie...@kyndryl.com> > scott.fie...@bnsf.com <mailto:scott.fie...@bnsf.com>
