[arch-dev-public] Rethinking our CA certificate setup

Jan Alexander Steffens jan.steffens at gmail.com
Sun Aug 24 05:47:56 EDT 2014

Hi guys,

I'm currently at FrOSCon with Pierre and an expert from CAcert.org and
we're thinking of changes to our certificate setup.

The current issues are:
- Mozilla NSS uses its own root store and not /etc/ssl/certs
- ca-certificates ships outdated Mozilla roots
- Shipping additional roots outside ca-certificates is difficult,
requiring patching /etc/ca-certificates.conf

To solve these issues, we thought of making the following changes:

- Attach NSS to p11-kit so it uses our root store (easily done by
replacing /usr/lib/libnssckbi.so with a symlink to p11-kit-proxy.so)
- Patch the update-ca-certificates script to read
/etc/ca-certificates/conf.d instead of /etc/ca-certificates.conf
- Split the current Mozilla roots from the NSS package in the
ca-certificates format, shipping
- Create a package shipping the CAcert.org roots in a similar way
- Ship the update-ca-certificates script in a ca-certificates-utils
package, which the certificate packages depend on
- ca-certificates becomes a metapackage depending on the -mozilla and
-cacert packages

Comments are welcome. Unless we get objections, we're going to start
making these changes. Hopefully we can be done today and push the
result to [testing].


More information about the arch-dev-public mailing list