rpms / ca-certificates

Clone
Source Code
GIT

Blame update-ca-trust

f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 main rawhide
  1.   ebc3273b934b715a5f23734984dce65bf68236d2
  2.   update-ca-trust
Blob History Raw
Kai Engert d538ada 
#!/bin/sh
Kai Engert d538ada
Kai Engert d538ada 
#set -vx
Kai Engert d538ada
Kai Engert 9ac574b 
# At this time, while this script is trivial, we ignore any parameters given.
Kai Engert 9ac574b 
# However, for backwards compatibility reasons, future versions of this script must
Kai Engert 9ac574b 
# support the syntax "update-ca-trust extract" trigger the generation of output
Kai Engert 9ac574b 
# files in $DEST.
Kai Engert 9ac574b
Kai Engert d538ada 
DEST=/etc/pki/ca-trust/extracted
Kai Engert d538ada
Kai Engert 7a69d0d 
# Prevent p11-kit from reading user configuration files.
Kai Engert 7a69d0d 
export P11_KIT_NO_USER_CONFIG=1
Kai Engert 7a69d0d
Kai Engert d538ada 
# OpenSSL PEM bundle that includes trust flags
Kai Engert d538ada 
# (BEGIN TRUSTED CERTIFICATE)
Kai Engert f0b0be2 
/usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment $DEST/openssl/ca-bundle.trust.crt
Kai Engert f0b0be2 
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth $DEST/pem/tls-ca-bundle.pem
Kai Engert f0b0be2 
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email $DEST/pem/email-ca-bundle.pem
Kai Engert f0b0be2 
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing $DEST/pem/objsign-ca-bundle.pem
Kai Engert d538ada 
/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts
6220683 
/usr/bin/p11-kit extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth $DEST/edk2/cacerts.bin
1c8b67f 
# Hashed directory of BEGIN TRUSTED-style certs (usable as OpenSSL CApath and
1c8b67f 
# by GnuTLS)
1c8b67f 
/usr/bin/p11-kit extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth $DEST/pem/directory-hash
1c8b67f 
# Debian compatibility: their /etc/ssl/certs has this bundle
1c8b67f 
/usr/bin/ln -s ../tls-ca-bundle.pem $DEST/pem/directory-hash/ca-certificates.crt
1c8b67f 
# Backwards compatibility: RHEL/Fedora provided a /etc/ssl/certs/ca-bundle.crt
1c8b67f 
# since https://bugzilla.redhat.com/show_bug.cgi?id=572725
1c8b67f 
/usr/bin/ln -s ../tls-ca-bundle.pem $DEST/pem/directory-hash/ca-bundle.crt
1c8b67f
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.