[arch-commits] Commit in ca-certificates/repos (12 files)
Jan Steffens
heftig at gemini.archlinux.org
Mon Sep 5 22:05:14 UTC 2022
Date: Monday, September 5, 2022 @ 22:05:14
Author: heftig
Revision: 455098
archrelease: copy trunk to testing-any
Added:
ca-certificates/repos/testing-any/
ca-certificates/repos/testing-any/40-update-ca-trust.hook
(from rev 455097, ca-certificates/trunk/40-update-ca-trust.hook)
ca-certificates/repos/testing-any/PKGBUILD
(from rev 455097, ca-certificates/trunk/PKGBUILD)
ca-certificates/repos/testing-any/README.etc
(from rev 455097, ca-certificates/trunk/README.etc)
ca-certificates/repos/testing-any/README.etcssl
(from rev 455097, ca-certificates/trunk/README.etcssl)
ca-certificates/repos/testing-any/README.extr
(from rev 455097, ca-certificates/trunk/README.extr)
ca-certificates/repos/testing-any/README.java
(from rev 455097, ca-certificates/trunk/README.java)
ca-certificates/repos/testing-any/README.src
(from rev 455097, ca-certificates/trunk/README.src)
ca-certificates/repos/testing-any/README.usr
(from rev 455097, ca-certificates/trunk/README.usr)
ca-certificates/repos/testing-any/ca-certificates-utils.install
(from rev 455097, ca-certificates/trunk/ca-certificates-utils.install)
ca-certificates/repos/testing-any/update-ca-trust
(from rev 455097, ca-certificates/trunk/update-ca-trust)
ca-certificates/repos/testing-any/update-ca-trust.8.txt
(from rev 455097, ca-certificates/trunk/update-ca-trust.8.txt)
-------------------------------+
40-update-ca-trust.hook | 11 +
PKGBUILD | 70 +++++++++
README.etc | 4
README.etcssl | 21 ++
README.extr | 33 ++++
README.java | 16 ++
README.src | 20 ++
README.usr | 20 ++
ca-certificates-utils.install | 23 +++
update-ca-trust | 42 +++++
update-ca-trust.8.txt | 286 ++++++++++++++++++++++++++++++++++++++++
11 files changed, 546 insertions(+)
Copied: ca-certificates/repos/testing-any/40-update-ca-trust.hook (from rev 455097, ca-certificates/trunk/40-update-ca-trust.hook)
===================================================================
--- testing-any/40-update-ca-trust.hook (rev 0)
+++ testing-any/40-update-ca-trust.hook 2022-09-05 22:05:14 UTC (rev 455098)
@@ -0,0 +1,11 @@
+[Trigger]
+Operation = Install
+Operation = Upgrade
+Operation = Remove
+Type = Path
+Target = usr/share/ca-certificates/trust-source/*
+
+[Action]
+Description = Rebuilding certificate stores...
+When = PostTransaction
+Exec = /usr/bin/update-ca-trust
Copied: ca-certificates/repos/testing-any/PKGBUILD (from rev 455097, ca-certificates/trunk/PKGBUILD)
===================================================================
--- testing-any/PKGBUILD (rev 0)
+++ testing-any/PKGBUILD 2022-09-05 22:05:14 UTC (rev 455098)
@@ -0,0 +1,70 @@
+# Maintainer: Jan Alexander Steffens (heftig) <heftig at archlinux.org>
+# Contributor: Pierre Schmitz <pierre at archlinux.de>
+
+pkgbase=ca-certificates
+pkgname=(ca-certificates-utils ca-certificates)
+pkgver=20220905
+pkgrel=1
+pkgdesc="Common CA certificates"
+url="https://src.fedoraproject.org/rpms/ca-certificates"
+arch=(any)
+license=(GPL)
+makedepends=(asciidoc p11-kit)
+source=(update-ca-trust update-ca-trust.8.txt 40-update-ca-trust.hook
+ README.{etc,etcssl,extr,java,src,usr})
+sha256sums=('ba98e00f80f94e2648b66252119d1b0da2339b8c83860cd69738e5c4e2d0fcc3'
+ '7123fcc59bcf50dac66606c8d1b2669106e88579375f98b12e8ae06d96eb7763'
+ '3a3833ebd6f9cdef2e534a273653f973a4354d4f9368577d0d73236b014b7748'
+ 'e14e00e2e862ac0da3fc77c265e58ee3dcc9c776280639323b8ee804c9d0f69a'
+ 'c94462e3addd6328d3fda77436bfb9d39099dd9dbfb6bafd5941d743cb0aaf10'
+ 'badc9c0ec9324dae0889b8f5a5c70f14416507234b9cafcb84ecb99a2b67fc78'
+ '5300660244bb621cbbb7fd3646bd33f7a5fad6801580593d8d5b3cf6fa9a158d'
+ 'eba594055ad00cb0b73fc2b0eb8aa4845e5cb4eb42aac88e5f1429213b9e301f'
+ '3493832f17595d6d5a6711e5b188ef36f040e0caec7e0f3303623550ed6943cc')
+
+build() {
+ a2x -v -f manpage update-ca-trust.8.txt
+}
+
+package_ca-certificates-utils() {
+ pkgdesc+=" (utilities)"
+ depends=(bash coreutils findutils 'p11-kit>=0.24.0')
+ provides=(ca-certificates ca-certificates-java)
+ conflicts=(ca-certificates-java)
+ replaces=(ca-certificates-java)
+ install=ca-certificates-utils.install
+
+ install -Dt "$pkgdir/usr/bin" update-ca-trust
+ install -Dt "$pkgdir/usr/share/man/man8" -m644 update-ca-trust.8
+ install -Dt "$pkgdir/usr/share/libalpm/hooks" -m644 *.hook
+
+ # Trust source directories
+ install -Dm644 README.etc "$pkgdir/etc/$pkgbase/README"
+ install -Dm644 README.src "$pkgdir/etc/$pkgbase/trust-source/README"
+ install -Dm644 README.usr "$pkgdir/usr/share/$pkgbase/trust-source/README"
+ install -d "$pkgdir"/{etc,usr/share}/$pkgbase/trust-source/{anchors,blocklist}
+
+ # Directories used by update-ca-trust (aka "trust extract-compat")
+ install -Dm644 README.etcssl "$pkgdir/etc/ssl/README"
+ install -Dm644 README.java "$pkgdir/etc/ssl/certs/java/README"
+ install -Dm644 README.extr "$pkgdir/etc/$pkgbase/extracted/README"
+
+ # Compatibility link for OpenSSL using /etc/ssl as CAdir
+ # Used in preference to the individual links in /etc/ssl/certs
+ ln -sr "$pkgdir/etc/$pkgbase/extracted/tls-ca-bundle.pem" "$pkgdir/etc/ssl/cert.pem"
+
+ # Compatibility link for legacy bundle (Debian)
+ ln -sr "$pkgdir/etc/$pkgbase/extracted/tls-ca-bundle.pem" "$pkgdir/etc/ssl/certs/ca-certificates.crt"
+
+ # Compatibility link for legacy bundle (RHEL/Fedora)
+ ln -sr "$pkgdir/etc/$pkgbase/extracted/tls-ca-bundle.pem" "$pkgdir/etc/ssl/certs/ca-bundle.crt"
+}
+
+package_ca-certificates() {
+ pkgdesc+=" (default providers)"
+ depends=(ca-certificates-mozilla)
+ conflicts=('ca-certificates-cacert<=20140824-4')
+ replaces=("${conflicts[@]}")
+}
+
+# vim:set sw=2 sts=-1 et:
Copied: ca-certificates/repos/testing-any/README.etc (from rev 455097, ca-certificates/trunk/README.etc)
===================================================================
--- testing-any/README.etc (rev 0)
+++ testing-any/README.etc 2022-09-05 22:05:14 UTC (rev 455098)
@@ -0,0 +1,4 @@
+This directory /etc/ca-certificates/ is used by a system of consolidated
+CA certificates.
+
+Please refer to the update-ca-trust(8) manual page for additional information.
Copied: ca-certificates/repos/testing-any/README.etcssl (from rev 455097, ca-certificates/trunk/README.etcssl)
===================================================================
--- testing-any/README.etcssl (rev 0)
+++ testing-any/README.etcssl 2022-09-05 22:05:14 UTC (rev 455098)
@@ -0,0 +1,21 @@
+This directory (/etc/ssl) is provided as a courtesy attempt to provide
+compatibility with software which assumes its existence. It is not a
+supported or canonical location. Software which assumes and relies on
+the existence and layout of this directory is making a wrong assumption
+(this directory is not any kind of 'standard', it is a configuration
+detail of Debian and its derivatives) and should be improved. No
+software packaged in this distribution should use this directory.
+
+An attempt is made to make the layout of /etc/ssl/certs match that
+provided by Debian: it is an OpenSSL 'CApath'-style hashed directory
+of individual certificate files, and also contains a certificate bundle
+file named ca-certificates.crt, as Debian does. It also contains a
+bundle named ca-bundle.crt, as RHEL and Fedora have long provided
+such a file, and it is possible some software has come to expect its
+existence. Similarly, a bundle named cert.pem is placed in /etc/ssl, as
+this was the historical bundle used by Arch Linux.
+
+The certificates files and the bundle files are in fact symlinks to
+some of the output of the 'update-ca-trust' script which forms a part
+of a system of consolidated CA certificates. Please refer to the
+update-ca-trust(8) manual page for additional information.
Copied: ca-certificates/repos/testing-any/README.extr (from rev 455097, ca-certificates/trunk/README.extr)
===================================================================
--- testing-any/README.extr (rev 0)
+++ testing-any/README.extr 2022-09-05 22:05:14 UTC (rev 455098)
@@ -0,0 +1,33 @@
+This directory /etc/ca-certificates/extracted/ contains CA certificate bundle
+files which are automatically created based on the information found in the
+/usr/share/ca-certificates/trust-source/ and /etc/ca-certificates/trust-source/
+directories.
+
+The files are as follows:
+
+ - ca-bundle.trust.crt:
+
+ This file is in the BEGIN/END TRUSTED CERTIFICATE file format,
+ as described in the x509(1) manual page.
+
+ - edk2-cacerts.bin:
+
+ This file is in the EDK2 (EFI Development Kit II) file format.
+
+ - email-ca-bundle.pem, objsign-ca-bundle.pem, tls-ca-bundle.pem:
+
+ All files are in the BEGIN/END CERTIFICATE file format,
+ as described in the x509(1) manual page.
+
+ Distrust information cannot be represented in this file format,
+ and distrusted certificates are missing from these files.
+
+If your application isn't able to load the PKCS#11 module p11-kit-trust.so,
+then you can use these files in your application to load a list of global
+root CA certificates.
+
+Please never manually edit the files stored in this directory,
+because your changes will be lost and the files automatically overwritten,
+each time the update-ca-trust command gets executed.
+
+Please refer to the update-ca-trust(8) manual page for additional information.
Copied: ca-certificates/repos/testing-any/README.java (from rev 455097, ca-certificates/trunk/README.java)
===================================================================
--- testing-any/README.java (rev 0)
+++ testing-any/README.java 2022-09-05 22:05:14 UTC (rev 455098)
@@ -0,0 +1,16 @@
+This directory /etc/ssl/certs/java/ contains CA certificate bundle
+files which are automatically created based on the information found in the
+/usr/share/ca-certificates/trust-source/ and /etc/ca-certificates/trust-source/
+directories.
+
+All files are in the java keystore file format.
+
+If your application isn't able to load the PKCS#11 module p11-kit-trust.so,
+then you can use these files in your application to load a list of global
+root CA certificates.
+
+Please never manually edit the files stored in this directory,
+because your changes will be lost and the files automatically overwritten,
+each time the update-ca-trust command gets executed.
+
+Please refer to the update-ca-trust(8) manual page for additional information.
Copied: ca-certificates/repos/testing-any/README.src (from rev 455097, ca-certificates/trunk/README.src)
===================================================================
--- testing-any/README.src (rev 0)
+++ testing-any/README.src 2022-09-05 22:05:14 UTC (rev 455098)
@@ -0,0 +1,20 @@
+This directory /etc/ca-certificates/trust-source/ contains CA certificates
+and trust settings in the PEM file format. The trust settings found here will be
+interpreted with a high priority - higher than the ones found in
+/usr/share/ca-certificates/trust-source/ .
+
+=============================================================================
+QUICK HELP: To add a certificate in the simple PEM or DER file formats to the
+ list of CAs trusted on the system:
+
+ Copy it to the
+ /etc/ca-certificates/trust-source/anchors/
+ subdirectory, and run the
+ update-ca-trust
+ command.
+
+ If your certificate is in the extended BEGIN TRUSTED file format,
+ then place it into the main trust-source/ directory instead.
+=============================================================================
+
+Please refer to the update-ca-trust(8) manual page for additional information.
Copied: ca-certificates/repos/testing-any/README.usr (from rev 455097, ca-certificates/trunk/README.usr)
===================================================================
--- testing-any/README.usr (rev 0)
+++ testing-any/README.usr 2022-09-05 22:05:14 UTC (rev 455098)
@@ -0,0 +1,20 @@
+This directory /usr/share/ca-certificates/trust-source/ contains CA certificates
+and trust settings in the PEM file format. The trust settings found here will be
+interpreted with a low priority - lower than the ones found in
+/etc/ca-certificates/trust-source/ .
+
+=============================================================================
+QUICK HELP: To add a certificate in the simple PEM or DER file formats to the
+ list of CAs trusted on the system:
+
+ Copy it to the
+ /usr/share/ca-certificates/trust-source/anchors/
+ subdirectory, and run the
+ update-ca-trust
+ command.
+
+ If your certificate is in the extended BEGIN TRUSTED file format,
+ then place it into the main trust-source/ directory instead.
+=============================================================================
+
+Please refer to the update-ca-trust(8) manual page for additional information.
Copied: ca-certificates/repos/testing-any/ca-certificates-utils.install (from rev 455097, ca-certificates/trunk/ca-certificates-utils.install)
===================================================================
--- testing-any/ca-certificates-utils.install (rev 0)
+++ testing-any/ca-certificates-utils.install 2022-09-05 22:05:14 UTC (rev 455098)
@@ -0,0 +1,23 @@
+pre_upgrade() {
+ if (( $(vercmp $2 20210603) < 0 )); then
+ local olddir=/etc/ca-certificates/trust-source/blacklist
+ local newdir=/etc/ca-certificates/trust-source/blocklist
+ cat <<MSG
+ > $olddir has been renamed to
+ $newdir
+MSG
+
+ if [[ ! -e $olddir ]]; then
+ : # Do nothing
+ elif [[ -e $newdir ]]; then
+ cat <<MSG
+ > WARNING: $newdir already exists.
+ You must migrate your blocked certificates manually.
+MSG
+ else
+ mv -Tn $olddir $newdir
+ fi
+ fi
+}
+
+# vim:set sw=2 sts=-1 et:
Copied: ca-certificates/repos/testing-any/update-ca-trust (from rev 455097, ca-certificates/trunk/update-ca-trust)
===================================================================
--- testing-any/update-ca-trust (rev 0)
+++ testing-any/update-ca-trust 2022-09-05 22:05:14 UTC (rev 455098)
@@ -0,0 +1,42 @@
+#!/bin/bash
+
+# At this time, while this script is trivial, we ignore any parameters given.
+# However, for backwards compatibility reasons, future versions of this script must
+# support the syntax "update-ca-trust extract" trigger the generation of output
+# files in $DEST.
+
+DEST=/etc/ca-certificates/extracted
+
+# Prevent p11-kit from reading user configuration files.
+export P11_KIT_NO_USER_CONFIG=1
+
+extract() {
+ trust extract --overwrite "$@"
+}
+
+## Simple PEM bundles
+extract --comment --format=pem-bundle --filter=ca-anchors --purpose=server-auth $DEST/tls-ca-bundle.pem
+extract --comment --format=pem-bundle --filter=ca-anchors --purpose=email $DEST/email-ca-bundle.pem
+extract --comment --format=pem-bundle --filter=ca-anchors --purpose=code-signing $DEST/objsign-ca-bundle.pem
+
+## OpenSSL PEM bundle that includes trust flags
+extract --comment --format=openssl-bundle --filter=certificates $DEST/ca-bundle.trust.crt
+
+## TianoCore EDK II bundle
+extract --format=edk2-cacerts --filter=ca-anchors --purpose=server-auth $DEST/edk2-cacerts.bin
+
+## Java bundle
+extract --format=java-cacerts --filter=ca-anchors --purpose=server-auth /etc/ssl/certs/java/cacerts
+
+## OpenSSL-style directory with individual PEM files and hash links
+# The directory-format extractors remove all files in the target directory, but not directories or files therein
+extract --format=pem-directory-hash --filter=ca-anchors --purpose=server-auth $DEST/cadir
+
+# We don't want to have to remove everything from the certs directory but neither
+# do we want to leave stale certs around, so only place symlinks in the real cadir
+for f in $DEST/cadir/*; do
+ ln -fsr -t /etc/ssl/certs "$f"
+done
+
+# Now find and remove all broken symlinks
+find -L /etc/ssl/certs -maxdepth 1 -type l -delete
Copied: ca-certificates/repos/testing-any/update-ca-trust.8.txt (from rev 455097, ca-certificates/trunk/update-ca-trust.8.txt)
===================================================================
--- testing-any/update-ca-trust.8.txt (rev 0)
+++ testing-any/update-ca-trust.8.txt 2022-09-05 22:05:14 UTC (rev 455098)
@@ -0,0 +1,286 @@
+////
+Copyright (C) 2013 Red Hat, Inc.
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU General Public License for more details.
+////
+
+
+update-ca-trust(8)
+==================
+:doctype: manpage
+:man source: update-ca-trust
+
+
+NAME
+----
+update-ca-trust - manage consolidated and dynamic configuration of CA
+certificates and associated trust
+
+
+SYNOPSIS
+--------
+*update-ca-trust* ['COMMAND']
+
+
+DESCRIPTION
+-----------
+update-ca-trust(8) is used to manage a consolidated and dynamic configuration
+feature of Certificate Authority (CA) certificates and associated trust.
+
+The feature is available for new applications that read the
+consolidated configuration files found in the /etc/ssl/certs or /etc/ca-certificates/extracted directories
+or that load the PKCS#11 module p11-kit-trust.so
+
+Parts of the new feature are also provided in a way to make it useful
+for legacy applications.
+
+Many legacy applications expect CA certificates and trust configuration
+in a fixed location, contained in files with particular path and name,
+or by referring to a classic PKCS#11 trust module provided by the
+NSS cryptographic library.
+
+The dynamic configuration feature provides functionally compatible replacements
+for classic configuration files and for the classic NSS trust module named libnssckbi.
+
+In order to enable legacy applications, that read the classic files or
+access the classic module, to make use of the new consolidated and dynamic configuration
+feature, some classic filenames have been changed to symbolic links.
+The symbolic links refer to dynamically created and consolidated
+output stored below the /etc/ca-certificates/extracted directory hierarchy.
+
+The output is produced using the 'update-ca-trust' command (without parameters),
+or using the 'update-ca-trust extract' command.
+In order to produce the output, a flexible set of source configuration
+is read, as described in section <<sourceconf,SOURCE CONFIGURATION>>.
+
+In addition, the classic PKCS#11 module
+is replaced with a new PKCS#11 module (p11-kit-trust.so) that dynamically
+reads the same source configuration.
+
+
+[[sourceconf]]
+SOURCE CONFIGURATION
+--------------------
+The dynamic configuration feature uses several source directories that
+will be scanned for any number of source files. *It is important to select
+the correct subdirectory for adding files, as the subdirectory defines how
+contained certificates will be trusted or distrusted, and which file formats are read.*
+
+Files in *subdirectories below the directory hierarchy /usr/share/ca-certificates/trust-source/* contain CA certificates and
+trust settings in the PEM file format. The trust settings found here will be
+interpreted with a *low priority*.
+
+Files in *subdirectories below the directory hierarchy /etc/ca-certificates/trust-source/* contain CA certificates and
+trust settings in the PEM file format. The trust settings found here will be
+interpreted with a *high priority*.
+
+.You may use the following rules of thumb to decide, whether your configuration files should be added to the /etc or rather to the /usr directory hierarchy:
+* If you are manually adding a configuration file to a system, you probably
+want it to override any other default configuration, and you most likely should
+add it to the respective subdirectory in the /etc hierarchy.
+* If you are creating a package that provides additional root CA certificates,
+that is intended for distribution to several computer systems, but you still
+want to allow the administrator to override your list, then your package should
+add your files to the respective subdirectory in the /usr hierarchy.
+* If you are creating a package that is supposed to override the default system
+trust settings, that is intended for distribution to several computer systems, then your package should install the files to the respective
+subdirectory in the /etc hierarchy.
+
+.*QUICK HELP 1*: To add a certificate in the simple PEM or DER file formats to the list of CAs trusted on the system:
+* add it as a new file to directory /etc/ca-certificates/trust-source/anchors/
+* run 'update-ca-trust extract'
+
+.*QUICK HELP 2*: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blocklist trust flags, or trust flags for usages other than TLS) then:
+* add it as a new file to directory /etc/ca-certificates/trust-source/
+* run 'update-ca-trust extract'
+
+.In order to offer simplicity and flexibility, the way certificate files are treated depends on the subdirectory they are installed to.
+* simple trust anchors subdirectory: /usr/share/ca-certificates/trust-source/anchors/ or /etc/ca-certificates/trust-source/anchors/
+* simple blocklist (distrust) subdirectory: /usr/share/ca-certificates/trust-source/blocklist/ or /etc/ca-certificates/trust-source/blocklist/
+* extended format directory: /usr/share/ca-certificates/trust-source/ or /etc/ca-certificates/trust-source/
+
+.In the main directories /usr/share/ca-certificates/trust-source/ or /etc/ca-certificates/trust-source/ you may install one or multiple files in the following file formats:
+* certificate files that include trust flags,
+ in the BEGIN/END TRUSTED CERTIFICATE file format
+ (any file name), which have been created using the openssl x509 tool
+ and the -addreject -addtrust options.
+ Bundle files with multiple certificates are supported.
+* files in the p11-kit file format using the .p11-kit file name
+ extension, which can (e.g.) be used to distrust certificates
+ based on serial number and issuer name, without having the
+ full certificate available.
+ (This is currently an undocumented format, to be extended later.
+ For examples of the supported formats, see the files
+ shipped with the ca-certificates-mozilla package.)
+* certificate files without trust flags in either the DER file format or in
+ the PEM (BEGIN/END CERTIFICATE) file format (any file name). Such files
+ will be added with neutral trust, neither trusted nor distrusted.
+ They will simply be known to the system, which might be helpful to
+ assist cryptographic software in constructing chains of certificates.
+ (If you want a CA certificate in these file formats to be trusted, you
+ should remove it from this directory and move it to the
+ ./anchors subdirectory instead.)
+
+In the anchors subdirectories /usr/share/ca-certificates/trust-source/anchors/ or /etc/ca-certificates/trust-source/anchors/
+you may install one or multiple certificates in either the DER file
+format or in the PEM (BEGIN/END CERTIFICATE) file format.
+Each certificate will be treated as *trusted* for all purposes.
+
+In the blocklist subdirectories /usr/share/ca-certificates/trust-source/blocklist/ or /etc/ca-certificates/trust-source/blocklist/
+you may install one or multiple certificates in either the DER file
+format or in the PEM (BEGIN/END CERTIFICATE) file format.
+Each certificate will be treated as *distrusted* for all purposes.
+
+Please refer to the x509(1) manual page for the documentation of the
+BEGIN/END CERTIFICATE and BEGIN/END TRUSTED CERTIFICATE file formats.
+
+Applications that rely on a static file for a list of trusted CAs
+may load one of the files found in the /etc/ssl/certs or /etc/ca-certificates/extracted
+directories. After modifying any file in the
+/usr/share/ca-certificates/trust-source/ or /etc/ca-certificates/trust-source/
+directories or in any of their subdirectories, or after adding a file,
+it is necessary to run the 'update-ca-trust extract' command,
+in order to update the consolidated files in /etc/ssl/certs or /etc/ca-certificates/extracted/ .
+
+Applications that load the classic PKCS#11 module using filename libnssckbi.so
+(which has been converted into a symbolic link pointing to the new module)
+and any application capable of
+loading PKCS#11 modules and loading p11-kit-trust.so, will benefit from
+the dynamically merged set of certificates and trust information stored in the
+/usr/share/ca-certificates/trust-source/ and /etc/ca-certificates/trust-source/ directories.
+
+
+[[extractconf]]
+EXTRACTED CONFIGURATION
+-----------------------
+The directories /etc/ssl/certs and /etc/ca-certificates/extracted/ contain generated CA certificate
+bundle files which are created and updated, based on the <<sourceconf,SOURCE CONFIGURATION>>
+by running the 'update-ca-trust extract' command.
+
+If your application isn't able to load the PKCS#11 module p11-kit-trust.so,
+then you can use these files in your application to load a list of global
+root CA certificates.
+
+Please never manually edit the files stored in these directories,
+because your changes will be lost and the files automatically overwritten,
+each time the 'update-ca-trust extract' command gets executed.
+
+In order to install new trusted or distrusted certificates,
+please rather install them in the respective subdirectory below the
+/usr/share/ca-certificates/trust-source/ or /etc/ca-certificates/trust-source/
+directories, as described in the <<sourceconf,SOURCE CONFIGURATION>> section.
+
+The directory /etc/ssl/certs contains a OpenSSL-cadir-style hash farm.
+Distrust information cannot be represented in this format,
+and distrusted certificates are missing from these files.
+
+The directory /etc/ssl/certs/java contains
+a CA certificate bundle in the java keystore file format.
+Distrust information cannot be represented in this file format,
+and distrusted certificates are missing from these files.
+File cacerts contains CA certificates trusted for TLS server authentication.
+
+The directory /etc/ca-certificates/extracted contains
+a CA certificate bundle file in the extended BEGIN/END TRUSTED CERTIFICATE file format,
+as described in the x509(1) manual page.
+File ca-bundle.trust.crt contains the full set of all trusted
+or distrusted certificates, including the associated trust flags.
+It also contains
+CA certificate bundle files in the simple BEGIN/END CERTIFICATE file format,
+as described in the x509(1) manual page.
+Distrust information cannot be represented in this file format,
+and distrusted certificates are missing from these files.
+File tls-ca-bundle.pem contains CA certificates
+trusted for TLS server authentication.
+File email-ca-bundle.pem contains CA certificates
+trusted for E-Mail protection.
+File objsign-ca-bundle.pem contains CA certificates
+trusted for code signing.
+It also contains a CA
+certificate bundle ("edk2-cacerts.bin") in the "sequence of
+EFI_SIGNATURE_LISTs" format, defined in the UEFI-2.7 specification,
+sections "31.4.1 Signature Database" and
+"EFI_CERT_X509_GUID". Distrust information cannot be represented in
+this file format, and distrusted certificates are missing from these
+files. File "edk2-cacerts.bin" contains CA certificates trusted for TLS
+server authentication.
+
+
+COMMANDS
+--------
+(absent/empty command)::
+ Same as the *extract* command described below. (However, the command may
+ print fewer warnings, as this command is being run during package
+ installation, where non-fatal status output is undesired.)
+
+*extract*::
+ Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and produce
+ updated versions of the consolidated configuration files stored below
+ the /etc/ssl/certs and /etc/ca-certificates/extracted directory hierarchies.
+
+FILES
+-----
+/etc/ssl/certs::
+ Classic directory, files contain individual CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
+ Also includes the necessary hash symlinks expected by OpenSSL.
+ These files are symbolic links that are maintained by the update-ca-trust command.
+
+/etc/ssl/certs/ca-certificates.crt::
+ Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
+ This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.
+
+/etc/ssl/cert.pem::
+ Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
+ This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.
+
+/etc/ssl/java/cacerts::
+ Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the Java keystore file format, without distrust information.
+ This file is consolidated output created by the update-ca-trust command.
+
+/usr/share/ca-certificates/trust-source::
+ Contains multiple, low priority source configuration files as explained in section <<sourceconf,SOURCE CONFIGURATION>>. Please pay attention to the specific meanings of the respective subdirectories.
+
+/etc/ca-certificates/trust-source::
+ Contains multiple, high priority source configuration files as explained in section <<sourceconf,SOURCE CONFIGURATION>>. Please pay attention to the specific meanings of the respective subdirectories.
+
+/etc/ca-certificates/extracted::
+ Contains consolidated and automatically generated configuration files for consumption by applications,
+ which are created using the 'update-ca-trust extract' command. Don't edit files in this directory, because they will be overwritten.
+ See section <<extractconf,EXTRACTED CONFIGURATION>> for additional details.
+
+/etc/ca-certificates/extracted/tls-ca-bundle.pem::
+ File contains a list of CA certificates trusted for TLS server authentication, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
+ This file is consolidated output created by the update-ca-trust command.
+
+/etc/ca-certificates/extracted/email-ca-bundle.pem::
+ File contains a list of CA certificates trusted for E-Mail protection, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
+ This file is consolidated output created by the update-ca-trust command.
+
+/etc/ca-certificates/extracted/objsign-ca-bundle.pem::
+ File contains a list of CA certificates trusted for code signing, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
+ This file is consolidated output created by the update-ca-trust command.
+
+/etc/ca-certificates/extracted/ca-bundle.trust.crt::
+ File contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage.
+ This file is consolidated output created by the update-ca-trust command.
+
+/etc/ca-certificates/extracted/cadir::
+ Contains individual CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
+ Also includes the necessary hash symlinks expected by OpenSSL.
+ These files are maintained by the update-ca-trust command.
+
+/etc/ca-certificates/extracted/edk2-cacerts.bin::
+ File contains a list of CA certificates trusted for TLS server authentication usage, in the UEFI signature database format, without distrust information.
+ This file is consolidated output created by the update-ca-trust command.
+
+AUTHOR
+------
+Written by Kai Engert and Stef Walter.
More information about the arch-commits
mailing list