Date: Wed, 24 Feb 2021 07:53:27 -0600 From: Kyle Evans <kevans@freebsd.org> To: Andrea Venturoli <ml@netfence.it> Cc: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: SSL Certificates in base Message-ID: <CACNAnaEj8Z5tpZwtzdjyXqs0JjbTPN%2BJ8WaEga8mJ0RQzSPe7w@mail.gmail.com> In-Reply-To: <0d404f23-b248-b05a-d6e0-2aafcd80e609@netfence.it> References: <0d404f23-b248-b05a-d6e0-2aafcd80e609@netfence.it>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Feb 24, 2021 at 2:58 AM Andrea Venturoli <ml@netfence.it> wrote: > > Hello again. > > Sorry if this a dumb question or FAQ: I tried, but failed to find any > official documentation on this. > > In the past, I've always installed security/ca_root_nss to let SSL work, > as there were no CA certificates in base. > 12.2 (and possibly older 12.x, I don't know) already provide several > certificates in /usr/share/certs/trusted. > 12.2 is indeed the first here, though 11.4 has the infrastructure for it. > How are we expected to deal with this? > Is security/ca_root_nss still needed/suggested? > Is it expected to be obsoleted (although easier to update)? > For most people, stuff 'just works'. If you need to add your own roots to the trust store, then security/ca_root_nss may (will?) be a problem. Too much stuff has a hard dependency on it, so I have a side branch to add a USES=caroot and remove that dependency on FreeBSD versions that can do so. > What's the correct procedure to add additional certificates? > I guess just dropping them in /usr/share/certs/trusted won't be enough... > The current model (which is, IMO, still a little wrong path-wise) is that you should add your own to /usr/local/share/certs then execute `certctl rehash`. The exact path is going to change and that one specifically will be phased out in favor of mirroring the base hierarchy as we should have done, but we'll make sure those changes are communicated properly. Thanks, Kyle Evans
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CACNAnaEj8Z5tpZwtzdjyXqs0JjbTPN%2BJ8WaEga8mJ0RQzSPe7w>