From owner-freebsd-questions@freebsd.org Mon Jan 9 09:22:27 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AD5A6CA6DDB for ; Mon, 9 Jan 2017 09:22:27 +0000 (UTC) (envelope-from julien@perdition.city) Received: from relay-b01.edpnet.be (relay-b01.edpnet.be [212.71.1.221]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "edpnet.email", Issuer "Go Daddy Secure Certificate Authority - G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 597B51F17 for ; Mon, 9 Jan 2017 09:22:26 +0000 (UTC) (envelope-from julien@perdition.city) X-ASG-Debug-ID: 1483953734-0a7ff53071043f0001-jLrpzn Received: from mordor.lan ([213.219.148.14]) by relay-b01.edpnet.be with ESMTP id twxpMYHNuVUeniWr (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 09 Jan 2017 10:22:16 +0100 (CET) X-Barracuda-Envelope-From: julien@perdition.city X-Barracuda-Effective-Source-IP: UNKNOWN[213.219.148.14] X-Barracuda-Apparent-Source-IP: 213.219.148.14 Date: Mon, 9 Jan 2017 10:22:14 +0100 From: Julien Cigar To: byrnejb@harte-lyne.ca Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD-11 Jails and PKI Message-ID: <20170109092213.GG15696@mordor.lan> X-ASG-Orig-Subj: Re: FreeBSD-11 Jails and PKI References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="QuX0r7ZseMwydPce" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.7.1 (2016-10-04) X-Barracuda-Connect: UNKNOWN[213.219.148.14] X-Barracuda-Start-Time: 1483953734 X-Barracuda-Encrypted: ECDHE-RSA-AES256-GCM-SHA384 X-Barracuda-URL: https://212.71.1.221:443/cgi-mod/mark.cgi X-Barracuda-Scan-Msg-Size: 1825 X-Virus-Scanned: by bsmtpd at edpnet.be X-Barracuda-BRTS-Status: 1 X-Barracuda-Bayes: INNOCENT GLOBAL 0.5000 1.0000 0.0000 X-Barracuda-Spam-Score: 0.00 X-Barracuda-Spam-Status: No, SCORE=0.00 using global scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=6.0 tests= X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.35653 Rule breakdown below pts rule name description ---- ---------------------- -------------------------------------------------- X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jan 2017 09:22:27 -0000 --QuX0r7ZseMwydPce Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jan 06, 2017 at 12:01:57PM -0500, James B. Byrne via freebsd-questi= ons wrote: > If I want to make a binary application available to all jails do I put > it in /usr/jails/basejail/bin or somewhere else? Or is this > impossible? >=20 > If possible then do such applications need to be statically linked? >=20 > Similarly, given that I wish to maintain a common repository of pki > keys and certificates that are shared between jails, do I place these > in or under /usr/jails/basejail/usr/share/openssl/? or somewhere else? > Or not at all and place them separately in each and every jail that > requires TLS? >=20 > The main issue I am dealing with is that we run a private PKI CA and > need to add our root certificates to the ca-bundle after each update > to /usr/local/share/certs/ca-root-nss.crt. you should manage this with a CMS (Saltstack for example) >=20 > --=20 > *** e-Mail is NOT a SECURE channel *** > Do NOT transmit sensitive data via e-Mail > Do NOT open attachments nor follow links sent by e-Mail >=20 > James B. Byrne mailto:ByrneJB@Harte-Lyne.ca > Harte & Lyne Limited http://www.harte-lyne.ca > 9 Brockley Drive vox: +1 905 561 1241 > Hamilton, Ontario fax: +1 905 561 0757 > Canada L8E 3C3 >=20 > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.o= rg" --=20 Julien Cigar Belgian Biodiversity Platform (http://www.biodiversity.be) PGP fingerprint: EEF9 F697 4B68 D275 7B11 6A25 B2BB 3710 A204 23C0 No trees were killed in the creation of this message. However, many electrons were terribly inconvenienced. --QuX0r7ZseMwydPce Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEE7vn2l0to0nV7EWolsrs3EKIEI8AFAlhzVkIACgkQsrs3EKIE I8DRNBAAp8+848SULobgB/dk9W7YdKfNkFv3onGXOGCl4nlrrP/fglL02/h2mxkO Lz9Turg1FsAxCmiDE0f7uWTFaDef+k9gUAw98ImnBgvNp2s9NxCrmC+CCMKRZUZD yFZKIqDJfW/uqcKVvs5iblu9R5Zypoo6mXw0mtkDrYRRcbnvL0O3Y4FSGIV369x9 zEJzvqAQrn4qLc2dMSrjoEtR2iN4xXgTlayf0UO1QXsTwv6HfkTgvr9VRf80k1n+ HfsF/qhHYkIurZ6tKlbYHfD+Sziq2qGBt7u+PgqyrDa5irT5MTLhhxDaTrIPCBF2 LSw10HqKkm3vNxyjTngsIrf8TThfRs2CqpT8HTTZCSeEYozDgHYNIjd0bn42AMzY i1pMdE8rzL4jFUi9pElaoZf0053DxlsaeNU6wBRsZUoGATxXtRLex6bgfncpc5uW Brnc7GtHMw7JugWCv0ja6UX+2qLmosbi4+0cqU8EdiM6PsI4ZB4Bd4OWnBSaAEX2 P9MxZnIL8uiEMRmYhBWWawIein505mwwBQxAytno1SH/Y2za3JBHFWjS3tpfDm8p nB1bnA3B75USRbPlECbGeLb00rFbY5MT7Eq9hqX3WNleEaV9QEyMX3ol+kEgEOYT VlCzNS0BMEnejMxlbWqLxXo/gI+O7Hf59N36Qp8HUFBKfXvfZic= =KmeG -----END PGP SIGNATURE----- --QuX0r7ZseMwydPce--