Date: Wed, 12 Feb 2025 07:27:09 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 284749] certctl: add support for generating cert.pem CAfiles Message-ID: <bug-284749-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D284749 Bug ID: 284749 Summary: certctl: add support for generating cert.pem CAfiles Product: Base System Version: Unspecified Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: ports.maintainer@evilphi.com Created attachment 257429 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D257429&action= =3Dedit Adds optional CAfile generation to certctl In an effort to obviate/fix ca_root_nss, I modified certctl to add the abil= ity to generate and maintain the cert.pem files that the port would otherwise install. This provides the same set of root certificates, but in a way that still allows for the local certificates installation and freebsd-update-bas= ed distribution that makes certctl so useful. The basic design is this: - certctl-makebundles generates /etc/ssl/cert.pem, /usr/local/etc/ssl/cert.= pem, and /usr/local/openssl/cert.pem by concatenating the certificates hashlinke= d in /etc/ssl/certs - certctl-rehash does the normal rehash, then looks for those cert.pem files and regenerates them if they already exist - certctl-deletebundles merely wraps rm, but provides usage uniformity so t= he ca_root_nss can run a single postunexec command If makebundles is never run, certctl behaviour is unchanged. The CApath in /etc/ssl/certs always generated normally. The patch is against the version in -CURRENT, but I'm presently using it in production on 13.4. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-284749-227>