[arch-commits] Commit in ca-certificates/trunk (update-ca-trust.8.txt)

Jan Steffens heftig at archlinux.org
Mon Dec 1 02:45:14 UTC 2014 

    Date: Monday, December 1, 2014 @ 03:45:13
  Author: heftig
Revision: 227207

Update docs

Modified:
  ca-certificates/trunk/update-ca-trust.8.txt

-----------------------+
 update-ca-trust.8.txt |   44 +++++++++++++++++++++++++++-----------------
 1 file changed, 27 insertions(+), 17 deletions(-)

Modified: update-ca-trust.8.txt
===================================================================
--- update-ca-trust.8.txt	2014-12-01 02:31:07 UTC (rev 227206)
+++ update-ca-trust.8.txt	2014-12-01 02:45:13 UTC (rev 227207)
@@ -36,7 +36,7 @@
 feature of Certificate Authority (CA) certificates and associated trust.
 
 The feature is available for new applications that read the
-consolidated configuration files found in the /etc/ca-certificates/extracted directory
+consolidated configuration files found in the /etc/ssl/certs or /etc/ca-certificates/extracted directories
 or that load the PKCS#11 module p11-kit-trust.so
 
 Parts of the new feature are also provided in a way to make it useful
@@ -52,7 +52,7 @@
 
 In order to enable legacy applications, that read the classic files or 
 access the classic module, to make use of the new consolidated and dynamic configuration 
-feature, the classic filenames have been changed to symbolic links.
+feature, some classic filenames have been changed to symbolic links.
 The symbolic links refer to dynamically created and consolidated 
 output stored below the /etc/ca-certificates/extracted directory hierarchy.
 
@@ -143,12 +143,12 @@
 BEGIN/END CERTIFICATE and BEGIN/END TRUSTED CERTIFICATE file formats.
 
 Applications that rely on a static file for a list of trusted CAs
-may load one of the files found in the /etc/ca-certificates/extracted
+may load one of the files found in the /etc/ssl/certs or /etc/ca-certificates/extracted
 directory. After modifying any file in the
 /usr/share/ca-certificates/trust-source/ or /etc/ca-certificates/trust-source/
 directories or in any of their subdirectories, or after adding a file, 
 it is necessary to run the 'update-ca-trust extract' command,
-in order to update the consolidated files in /etc/ca-certificates/extracted/ .
+in order to update the consolidated files in /etc/ssl/certs or /etc/ca-certificates/extracted/ .
 
 Applications that load the classic PKCS#11 module using filename libnssckbi.so 
 (which has been converted into a symbolic link pointing to the new module)
@@ -161,7 +161,7 @@
 [[extractconf]]
 EXTRACTED CONFIGURATION
 -----------------------
-The directory /etc/ca-certificates/extracted/ contains generated CA certificate 
+The directories /etc/ssl/certs and /etc/ca-certificates/extracted/ contains generated CA certificate 
 bundle files which are created and updated, based on the <<sourceconf,SOURCE CONFIGURATION>> 
 by running the 'update-ca-trust extract' command.
 
@@ -169,7 +169,7 @@
 then you can use these files in your application to load a list of global
 root CA certificates.
 
-Please never manually edit the files stored in this directory,
+Please never manually edit the files stored in these directories,
 because your changes will be lost and the files automatically overwritten,
 each time the 'update-ca-trust extract' command gets executed.
 
@@ -178,19 +178,19 @@
 /usr/share/ca-certificates/trust-source/ or /etc/ca-certificates/trust-source/
 directories, as described in the <<sourceconf,SOURCE CONFIGURATION>> section.
 
-The directory /etc/ca-certificates/extracted/java/ contains 
+The directory /etc/ssl/certs/java contains 
 a CA certificate bundle in the java keystore file format.
 Distrust information cannot be represented in this file format,
 and distrusted certificates are missing from these files.
 File cacerts contains CA certificates trusted for TLS server authentication.
 
-The directory /etc/ca-certificates/extracted/openssl/ contains 
-CA certificate bundle files in the extended BEGIN/END TRUSTED CERTIFICATE file format, 
+The directory /etc/ssl/certs contains a OpenSSL-cadir-style hash farm, as well 
+as a ca-bundle.trust.crt bundle file in the extended BEGIN/END TRUSTED CERTIFICATE file format, 
 as described in the x509(1) manual page.
-File ca-bundle.trust.crt contains the full set of all trusted
+The dir or the bundle contain the full set of all trusted
 or distrusted certificates, including the associated trust flags.
 
-The directory /etc/ca-certificates/extracted/pem/ contains 
+The directory /etc/ca-certificates/extracted contains 
 CA certificate bundle files in the simple BEGIN/END CERTIFICATE file format, 
 as decribed in the x509(1) manual page.
 Distrust information cannot be represented in this file format,
@@ -213,21 +213,31 @@
 *extract*::
     Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and produce 
     updated versions of the consolidated configuration files stored below
-    the /etc/ca-certificates/extracted directory hierarchy.
+    the /etc/ssl/certs and /etc/ca-certificates/extracted directory 
+    hierarchies.
 
 FILES
 -----
-/etc/ssl/certs/ca-certificates.crt::
-	Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
-	This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.
+/etc/ssl/certs::
+	Classic directory, contains individual CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage,
+	which are created by the 'update-ca-trust extract' command. Don't edit files in this directory, because they will be overwritten. 
+	See section <<extractconf,EXTRACTED CONFIGURATION>> for additional details.
 
 /etc/ssl/certs/ca-bundle.trust.crt::
 	Classic filename, file contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage.
-	This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.
+	This file is consolidated output created by the update-ca-trust command.
 
+/etc/ssl/certs/ca-certificates.crt::
+	Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
+	This file is a symbolic link that refers to consolidated output created by the update-ca-trust command.
+
+/etc/ssl/cert.pem::
+	Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
+	This file is a symbolic link that refers to consolidated output created by the update-ca-trust command.
+
 /etc/ssl/java/cacerts::
 	Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the Java keystore file format, without distrust information.
-	This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.
+	This file is consolidated output created by the update-ca-trust command.
 
 /usr/share/ca-certificates/trust-source::
 	Contains multiple, low priority source configuration files as explained in section <<sourceconf,SOURCE CONFIGURATION>>. Please pay attention to the specific meanings of the respective subdirectories.

More information about the arch-commits mailing list