Home_greyopenFATE - openSUSE feature tracking > #314991
Dashboard | Search | Sign up | Login

Please login or register to be able to edit or vote this feature.

system ca certificates based on p11-kit

Feature state

openSUSE Distribution


openSUSE should use p11-kit as primary tool for ca-certificate management.
1. define directory where to store ca certificates. Currently we use subdirs of /usr/share/ca-certificates. p11-kit likes to have all in one directory called 'ancors'. Fedora chose /usr/share/pki/ca-trust-source.
2. make update-ca-certificates call p11-kit to generate the compat bundles.
3. patch openssl, nss, gnutls to directly use p11-kit via library instead of
relying on generated directories.

More info about the implementation in Fedora:


icons/user_comment.png L. N. wrote: (5 years ago)

I've prepared packages in home:lnussel:branches:Base:System.
Currently pending feedback from upstream wrt file system locations.
Fedora chose /etc/pki/ca-trust/source and
/usr/share/pki/ca-trust-source for which I am not too happy about.
I'd prefer /usr/share/pki/trust and /etc/pki/trust (or ca-trust, but
without the "source"). They also put generated files /etc which I
will not do. Generated file have to go to /var/lib/ca-certificates.

icons/user_comment.png L. N. wrote: (5 years ago)

First round submitted to Factory.
Next step would be to replace the mozilla-nss-certs package.

icons/user_comment.png L. N. wrote: (5 years ago)

- mozilla-nss-certs can now be replaced by p11-kit-nss-trust
- gnutls uses pkcs11 as trust store
- openssl no longer reads /etc/ssl/certs

icons/user_comment.png L. N. wrote: (4 years ago)

gnutls had to switch back to using a directly though as it doesnt honor the trust flags yet.

Last change: 17 months ago
Loading tags...
Feature Export
Application-xmlXML   Text-x-logPlaintext   PrinterPrint