[arch-dev-public] Rethinking our CA certificate setup

Massimiliano Torromeo massimiliano.torromeo at gmail.com
Sun Aug 24 06:22:28 EDT 2014

On Sun, Aug 24, 2014 at 11:47 AM, Jan Alexander Steffens <
jan.steffens at gmail.com> wrote:
> The current issues are:
> - Mozilla NSS uses its own root store and not /etc/ssl/certs
> - ca-certificates ships outdated Mozilla roots
> - Shipping additional roots outside ca-certificates is difficult,
> requiring patching /etc/ca-certificates.conf

Agreed, the current situation is far from optimal.

On a related note currently replacing the libnssckbi.so lib with any other
drop-in replacement  could be handled better.

I have been symlinking /usr/lib/pkcs11/p11-kit-trust.so to
/usr/lib/libnssckbi.so to use the trust policy module [1] for quite some
time and the only way to not let pacman screw this setup is to add
"usr/lib/libnssckbi.so" to both NoUpgrade and NoExtract in pacman.conf.

[1] http://p11-glue.freedesktop.org/doc/p11-kit/trust-module.html

More information about the arch-dev-public mailing list