diff --git a/README.etc b/README.etc index 9271dfe..2d9971c 100644 --- a/README.etc +++ b/README.etc @@ -1,5 +1,4 @@ This directory /etc/pki/ca-trust is used by a system of consolidated CA certificates. -Please refer to the separate README files in the subdirectories -named "source" and "extracted". +Please refer to the update-ca-trust(8) manual page for additional information. diff --git a/README.extr b/README.extr index e4acc71..06905ba 100644 --- a/README.extr +++ b/README.extr @@ -9,10 +9,4 @@ Please never manually edit the files stored in this directory, because your changes will be lost and the files automatically overwritten, each time the update-ca-trust command gets executed. -In order to install new trusted or distrusted certificates, -please rather install them in the -/usr/share/pki/ca-trust-source/ and /etc/pki/ca-trust/source/ -directories. - -Please refer to the README files in those directories to learn -how to install new files. +Please refer to the update-ca-trust(8) manual page for additional information. diff --git a/README.java b/README.java index 4cef5a2..457b00c 100644 --- a/README.java +++ b/README.java @@ -6,12 +6,6 @@ directories. All files are in the java keystore file format. -Distrust information cannot be represented in this file format, -and distrusted certificates are missing from these files. - -File cacerts contains CA certificates -trusted for TLS server authentication. - If your application isn't able to load the PKCS#11 module p11-kit-trust.so, then you can use these files in your application to load a list of global root CA certificates. @@ -20,10 +14,4 @@ Please never manually edit the files stored in this directory, because your changes will be lost and the files automatically overwritten, each time the update-ca-trust command gets executed. -In order to install new trusted or distrusted certificates, -please rather install them in the -/usr/share/pki/ca-trust-source/ and /etc/pki/ca-trust/source/ -directories. - -Please refer to the README files in those directories to learn -how to install new files. +Please refer to the update-ca-trust(8) manual page for additional information. diff --git a/README.openssl b/README.openssl index 83cfaa6..7c368a9 100644 --- a/README.openssl +++ b/README.openssl @@ -7,9 +7,6 @@ directories. All files are in the BEGIN/END TRUSTED CERTIFICATE file format, as described in the x509(1) manual page. -File /ca-bundle.trust.crt contains the full set of all trusted -or distrusted certificates, including the associated trust flags. - If your application isn't able to load the PKCS#11 module p11-kit-trust.so, then you can use these files in your application to load a list of global root CA certificates. @@ -18,10 +15,4 @@ Please never manually edit the files stored in this directory, because your changes will be lost and the files automatically overwritten, each time the update-ca-trust command gets executed. -In order to install new trusted or distrusted certificates, -please rather install them in the -/usr/share/pki/ca-trust-source/ and /etc/pki/ca-trust/source/ -directories. - -Please refer to the README files in those directories to learn -how to install new files. +Please refer to the update-ca-trust(8) manual page for additional information. diff --git a/README.pem b/README.pem index abc18d2..4d6f2dd 100644 --- a/README.pem +++ b/README.pem @@ -10,15 +10,6 @@ as decribed in the x509(1) manual page. Distrust information cannot be represented in this file format, and distrusted certificates are missing from these files. -File tls-ca-bundle.pem contains CA certificates -trusted for TLS server authentication. - -File email-ca-bundle.pem contains CA certificates -trusted for E-Mail protection. - -File objsign-ca-bundle.pem contains CA certificates -trusted for code signing. - If your application isn't able to load the PKCS#11 module p11-kit-trust.so, then you can use these files in your application to load a list of global root CA certificates. @@ -27,10 +18,4 @@ Please never manually edit the files stored in this directory, because your changes will be lost and the files automatically overwritten, each time the update-ca-trust command gets executed. -In order to install new trusted or distrusted certificates, -please rather install them in the -/usr/share/pki/ca-trust-source/ and /etc/pki/ca-trust/source/ -directories. - -Please refer to the README files in those directories to learn -how to install new files. +Please refer to the update-ca-trust(8) manual page for additional information. diff --git a/README.src b/README.src index aadb88a..fe42b44 100644 --- a/README.src +++ b/README.src @@ -17,66 +17,4 @@ QUICK HELP: To add a certificate in the simple PEM or DER file formats to the then place it into the main source/ directory instead. ============================================================================= -Description of the source directory and its subdirectories: ------------------------------------------------------------ -In order to offer simplicity and flexibility, the way certificate files -are treated depend on the subdirectory they are installed to. - - trust anchors subdirectory : /etc/pki/ca-trust/source/anchors/ - extended format directory : /etc/pki/ca-trust/source/ - blacklist subdirectory : /etc/pki/ca-trust/source/blacklist/ - -In the main directory /etc/pki/ca-trust/source/ -you may install one or multiple files in the following file formats: -- certificate files that include trust flags, - in the BEGIN/END TRUSTED CERTIFICATE file format - (any file name), which have been created using the openssl x509 tool - and the -addreject -addtrust options. - Bundle files with multiple certificates are supported. -- files in the p11-kit file format using the .p11-kit file - extension, which can (e.g.) be used to distrust certificates - based on serial number and issuer name, without having the - full certificate available. - (This is currently an undocumented format, to be extended later. - For an example of a distrusted certificate, see the files - shipped with the ca-certificates package.) -- certificate files without trust flags in either the DER file format or in - the PEM (BEGIN/END CERTIFICATE) file format (any file name). Such files - will be added with neutral trust, neither trusted nor distrusted. - They will simply be known to the system, which might be helpful to - assist cryptographic software in constructing chains of certificates. - (If you want a CA certificate in these file formats to be trusted, you - should remove it from this directory and copy it to the - ./anchors subdirectory instead.) - -In the anchors subdirectory: /etc/pki/ca-trust/source/anchors/ -you may install one or multiple certificates in either the DER file -format or in the PEM (BEGIN/END CERTIFICATE) file format. -Each certificate will be treated as *trusted* for all purposes. - -In the blacklist subdirectory: /etc/pki/ca-trust/source/blacklist/ -you may install one or multiple certificates in either the DER file -format or in the PEM (BEGIN/END CERTIFICATE) file format. -Each certificate will be treated as *distrusted* for all purposes. - -Please refer to the x509(1) manual page for the documentation of the - BEGIN/END CERTIFICATE -and - BEGIN/END TRUSTED CERTIFICATE -file formats. - - -Purpose: --------- -Applications that are able to use PKCS#11 modules can load the -p11-kit-trust.so module and will benefit from the dynamically merged -set of certificates and trust information stored in the -/usr/share/pki/ca-trust-source/ and /etc/pki/ca-trust/source/ -directories. - -Applications that rely on a static file for a list of trusted CAs -may load one of the files found in the /etc/pki/ca-trust/extracted -directory. After modifying any file stored in the -/usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/ -directories, it is required to run the update-ca-trust command, -in order to update the merged files in /etc/pki/ca-trust/extracted/ . +Please refer to the update-ca-trust(8) manual page for additional information. diff --git a/README.usr b/README.usr index 6ba852f..7a9a4ed 100644 --- a/README.usr +++ b/README.usr @@ -17,66 +17,4 @@ QUICK HELP: To add a certificate in the simple PEM or DER file formats to the then place it into the main source/ directory instead. ============================================================================= -Description of the source directory and its subdirectories: ------------------------------------------------------------ -In order to offer simplicity and flexibility, the way certificate files -are treated depend on the subdirectory they are installed to. - - trust anchors subdirectory : /usr/share/pki/ca-trust-source/anchors/ - extended format directory : /usr/share/pki/ca-trust-source/ - blacklist subdirectory : /usr/share/pki/ca-trust-source/blacklist/ - -In the main directory /usr/share/pki/ca-trust-source/ -you may install one or multiple files in the following file formats: -- certificate files that include trust flags, - in the BEGIN/END TRUSTED CERTIFICATE file format - (any file name), which have been created using the openssl x509 tool - and the -addreject -addtrust options. - Bundle files with multiple certificates are supported. -- files in the p11-kit file format using the .p11-kit file - extension, which can (e.g.) be used to distrust certificates - based on serial number and issuer name, without having the - full certificate available. - (This is currently an undocumented format, to be extended later. - For an example of a distrusted certificate, see the files - shipped with the ca-certificates package.) -- certificate files without trust flags in either the DER file format or in - the PEM (BEGIN/END CERTIFICATE) file format (any file name). Such files - will be added with neutral trust, neither trusted nor distrusted. - They will simply be known to the system, which might be helpful to - assist cryptographic software in constructing chains of certificates. - (If you want a CA certificate in these file formats to be trusted, you - should remove it from this directory and copy it to the - ./anchors subdirectory instead.) - -In the anchors subdirectory: /usr/share/pki/ca-trust-source/anchors/ -you may install one or multiple certificates in either the DER file -format or in the PEM (BEGIN/END CERTIFICATE) file format. -Each certificate will be treated as *trusted* for all purposes. - -In the blacklist subdirectory: /usr/share/pki/ca-trust-source/blacklist/ -you may install one or multiple certificates in either the DER file -format or in the PEM (BEGIN/END CERTIFICATE) file format. -Each certificate will be treated as *distrusted* for all purposes. - -Please refer to the x509(1) manual page for the documentation of the - BEGIN/END CERTIFICATE -and - BEGIN/END TRUSTED CERTIFICATE -file formats. - - -Purpose: --------- -Applications that are able to use PKCS#11 modules can load the -p11-kit-trust.so module and will benefit from the dynamically merged -set of certificates and trust information stored in the -/usr/share/pki/ca-trust-source/ and /etc/pki/ca-trust/source/ -directories. - -Applications that rely on a static file for a list of trusted CAs -may load one of the files found in the /etc/pki/ca-trust/extracted -directory. After modifying any file stored in the -/usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/ -directories, it is required to run the update-ca-trust command, -in order to update the merged files in /etc/pki/ca-trust/extracted/ . +Please refer to the update-ca-trust(8) manual page for additional information. diff --git a/ca-certificates.spec b/ca-certificates.spec index 5c25cf7..9771611 100644 --- a/ca-certificates.spec +++ b/ca-certificates.spec @@ -27,7 +27,7 @@ Name: ca-certificates # because all future versions will start with 2013 or larger.) Version: 2012.87 -Release: 10.2%{?dist} +Release: 10.3%{?dist} License: Public Domain Group: System Environment/Base @@ -39,6 +39,7 @@ Source1: nssckbi.h Source2: update-ca-trust Source3: trust-fixes Source4: certdata2pem.py +Source10: update-ca-trust.8.txt Source11: README.usr Source12: README.etc Source13: README.extr @@ -55,6 +56,8 @@ BuildRequires: perl BuildRequires: java-openjdk BuildRequires: python BuildRequires: openssl +BuildRequires: asciidoc +BuildRequires: libxslt %description This package contains the set of CA certificates chosen by the @@ -92,6 +95,7 @@ EOF echo "processing $f" tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f` distbits=`sed -n '/^# openssl-distrust/{s/^.*=//;p;}' $f` + alias=`sed -n '/^# alias=/{s/^.*=//;p;q;}' $f | sed "s/'//g" | sed 's/"//g'` targs="" if [ -n "$tbits" ]; then for t in $tbits; do @@ -105,10 +109,10 @@ EOF fi if [ -n "$targs" ]; then echo "trust flags $targs for $f" >> info.trust - openssl x509 -text -in "$f" -trustout $targs >> %{trusted_all_bundle} + openssl x509 -text -in "$f" -trustout $targs -setalias "$alias" >> %{trusted_all_bundle} else echo "no trust flags for $f" >> info.notrust - openssl x509 -text -in "$f" >> %{neutral_bundle} + openssl x509 -text -in "$f" -setalias "$alias" >> %{neutral_bundle} fi done for p in certs/*.p11-kit; do @@ -118,6 +122,11 @@ EOF cat %{SOURCE3} >> %{bundle_supplement} popd +#manpage +cp %{SOURCE10} %{name}/update-ca-trust.8.txt +asciidoc.py -v -d manpage -b docbook %{name}/update-ca-trust.8.txt +xsltproc --nonet -o %{name}/update-ca-trust.8 /usr/share/asciidoc/docbook-xsl/manpage.xsl %{name}/update-ca-trust.8.xml + %install rm -rf $RPM_BUILD_ROOT @@ -135,7 +144,9 @@ mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/anchors mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blacklist mkdir -p -m 755 $RPM_BUILD_ROOT%{_bindir} +mkdir -p -m 755 $RPM_BUILD_ROOT%{_mandir}/man8 +install -p -m 644 %{name}/update-ca-trust.8 $RPM_BUILD_ROOT%{_mandir}/man8 install -p -m 644 %{SOURCE11} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/README install -p -m 644 %{SOURCE12} $RPM_BUILD_ROOT%{catrustdir}/README install -p -m 644 %{SOURCE13} $RPM_BUILD_ROOT%{catrustdir}/extracted/README @@ -244,6 +255,7 @@ fi %dir %{_datadir}/pki/ca-trust-source/anchors %dir %{_datadir}/pki/ca-trust-source/blacklist +%{_mandir}/man8/update-ca-trust.8.gz %{_datadir}/pki/ca-trust-source/README %{catrustdir}/README %{catrustdir}/extracted/README @@ -274,6 +286,11 @@ fi %changelog +* Mon Jul 08 2013 Kai Engert - 2012.87-10.3 +- added a manual page and related build requirements +- simplify the README files now that we have a manual page +- set a certificate alias in trusted bundle (thanks to Ludwig Nussel) + * Mon May 27 2013 Kai Engert - 2012.87-10.2 - use correct command in README files, rhbz#961809 diff --git a/certdata2pem.py b/certdata2pem.py index 230298f..175de1a 100644 --- a/certdata2pem.py +++ b/certdata2pem.py @@ -170,6 +170,7 @@ for tobj in objects: f = open(fname, 'w') if obj != None: + f.write("# alias=%s\n"%tobj['CKA_LABEL']) f.write("# trust=" + " ".join(trustbits) + "\n") f.write("# distrust=" + " ".join(distrustbits) + "\n") if openssl_trustflags: diff --git a/update-ca-trust b/update-ca-trust index 410c138..a5518d1 100644 --- a/update-ca-trust +++ b/update-ca-trust @@ -2,6 +2,11 @@ #set -vx +# At this time, while this script is trivial, we ignore any parameters given. +# However, for backwards compatibility reasons, future versions of this script must +# support the syntax "update-ca-trust extract" trigger the generation of output +# files in $DEST. + DEST=/etc/pki/ca-trust/extracted # OpenSSL PEM bundle that includes trust flags diff --git a/update-ca-trust.8.txt b/update-ca-trust.8.txt new file mode 100644 index 0000000..32555fa --- /dev/null +++ b/update-ca-trust.8.txt @@ -0,0 +1,247 @@ +//// +Copyright (C) 2013 Red Hat, Inc. + +This program is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation; either version 2 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. +//// + + +update-ca-trust(8) +================== +:doctype: manpage +:man source: update-ca-trust + + +NAME +---- +update-ca-trust - manage consolidated and dynamic configuration of CA +certificates and associated trust + + +SYNOPSIS +-------- +*update-ca-trust* ['COMMAND'] + + +DESCRIPTION +----------- +update-ca-trust(8) is used to manage a consolidated and dynamic configuration +feature of CA certificates and associated trust. + +The feature is available for any new applications that read the +consolidated configuration files found in the /etc/pki/ca-trust/extracted directory +or that load the PKCS#11 module p11-kit-trust.so + +Parts of the new feature are also provided in a way to make it useful +by legacy applications. + +Many legacy applications expect CA certificates and trust configuration +in a fixed location, contained in files with particular path and name, +or by referring to a specific legacy PKCS#11 trust module provided by the +NSS cryptographic library. + +In order to enable legacy applications, that read the legacy files or +legacy module, to make use of the new consolidated and dynamic configuration +feature, the legacy filenames have been changed to symbolic links. +The symbolic links refer to dynamically created and consolidated +output stored below the /etc/pki/ca-trust/extracted directory hierarchy. + +The output is produced using the 'update-ca-trust' command (without parameters), +or using the 'update-ca-trust extract' command. +In order to produce the output, a flexible set of source configuration +is read, as described in section <>. + +In addition, the static legacy PKCS#11 module +is replaced by a new PKCS#11 module (p11-kit-trust.so) that dynamically +reads the same source configuration. + + +[[sourceconf]] +SOURCE CONFIGURATION +-------------------- +The dynamic configuration feature uses several source directories that +will be scanned for any number of source files. *It is important to select +the correct subdirectory for adding files, as the subdirectory defines how +contained certificates will be trusted or distrusted, and which file formats are read.* + +Files in *subdirectories below the directory hierarchy /usr/share/pki/ca-trust-source/* contain CA certificates and +trust settings in the PEM file format. The trust settings found here will be +interpreted with a *low priority*. + +Files in *subdirectories below the directory hierarchy /etc/pki/ca-trust/source/* contain CA certificates and +trust settings in the PEM file format. The trust settings found here will be +interpreted with a *high priority*. + +.You may use the following rules of thumb to decide, whether your configuration files should be added to the /etc or rather to the /usr directory hierarchy: +* If you are manually adding a configuration file to a system, you probably +want it to override any other default configuration, and you most likely should +add it to the respective subdirectory in the /etc hierarchy. +* If you are creating a package that provides additional root CA certificates, +that is intended for distribution to several computer systems, but you still +want to allow the administrator to override your list, then your package should +add your files to the respective subdirectory in the /usr hierarchy. +* If you are creating a package that is supposed to override the default system +trust settings, that is intended for distribution to several computer systems, then your package should install the files to the respective +subdirectory in the /etc hierarchy. + +.*QUICK HELP 1*: To add a certificate in the simple PEM or DER file formats to the list of CAs trusted on the system: +* add it as a new file to directory /etc/pki/ca-trust/source/anchors/ +* run 'update-ca-trust extract' + +.*QUICK HELP 2*: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blacklist trust flags, or trust flags for usages other than TLS) then: +* add it as a new file to directory /etc/pki/ca-trust/source/ +* run 'update-ca-trust extract' + +.In order to offer simplicity and flexibility, the way certificate files are treated depends on the subdirectory they are installed to. +* simple trust anchors subdirectory: /usr/share/pki/ca-trust-source/anchors/ or /etc/pki/ca-trust/source/anchors/ +* simple blacklist (distrust) subdirectory: /usr/share/pki/ca-trust-source/blacklist/ or /etc/pki/ca-trust/source/blacklist/ +* extended format directory: /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/ + +.In the main directories /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/ you may install one or multiple files in the following file formats: +* certificate files that include trust flags, + in the BEGIN/END TRUSTED CERTIFICATE file format + (any file name), which have been created using the openssl x509 tool + and the -addreject -addtrust options. + Bundle files with multiple certificates are supported. +* files in the p11-kit file format using the .p11-kit file name + extension, which can (e.g.) be used to distrust certificates + based on serial number and issuer name, without having the + full certificate available. + (This is currently an undocumented format, to be extended later. + For examples of the supported formats, see the files + shipped with the ca-certificates package.) +* certificate files without trust flags in either the DER file format or in + the PEM (BEGIN/END CERTIFICATE) file format (any file name). Such files + will be added with neutral trust, neither trusted nor distrusted. + They will simply be known to the system, which might be helpful to + assist cryptographic software in constructing chains of certificates. + (If you want a CA certificate in these file formats to be trusted, you + should remove it from this directory and move it to the + ./anchors subdirectory instead.) + +In the anchors subdirectories /usr/share/pki/ca-trust-source/anchors/ or /etc/pki/ca-trust/source/anchors/ +you may install one or multiple certificates in either the DER file +format or in the PEM (BEGIN/END CERTIFICATE) file format. +Each certificate will be treated as *trusted* for all purposes. + +In the blacklist subdirectories /usr/share/pki/ca-trust-source/blacklist/ or /etc/pki/ca-trust/source/blacklist/ +you may install one or multiple certificates in either the DER file +format or in the PEM (BEGIN/END CERTIFICATE) file format. +Each certificate will be treated as *distrusted* for all purposes. + +Please refer to the x509(1) manual page for the documentation of the +BEGIN/END CERTIFICATE and BEGIN/END TRUSTED CERTIFICATE file formats. + +Applications that rely on a static file for a list of trusted CAs +may load one of the files found in the /etc/pki/ca-trust/extracted +directory. After modifying any file in the +/usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/ +directories or in any of their subdirectories, or after adding a file, +it is necessary to run the 'update-ca-trust extract' command, +in order to update the consolidated files in /etc/pki/ca-trust/extracted/ . + +Legacy applications that rely on legacy filenames benefit from configuration +updates only if this dynamic configuration feature is in the enabled state. + +Applications that use the legacy PKCS#11 module libnssckbi.so with the +configuration feature in the enabled state, and any application capable of +loading PKCS#11 modules and loading p11-kit-trust.so, will benefit from +the dynamically merged set of certificates and trust information stored in the +/usr/share/pki/ca-trust-source/ and /etc/pki/ca-trust/source/ directories. + + +[[extractconf]] +EXTRACTED CONFIGURATION +----------------------- +The directory /etc/pki/ca-trust/extracted/ contains generated CA certificate +bundle files which are created and updated, based on the <> +by running the 'update-ca-trust extract' command. + +If your application isn't able to load the PKCS#11 module p11-kit-trust.so, +then you can use these files in your application to load a list of global +root CA certificates. + +Please never manually edit the files stored in this directory, +because your changes will be lost and the files automatically overwritten, +each time the 'update-ca-trust extract' command gets executed. + +In order to install new trusted or distrusted certificates, +please rather install them in the respective subdirectory below the +/usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/ +directories, as described in the <> section. + +The directory /etc/pki/ca-trust/extracted/java/ contains +a CA certificate bundle in the java keystore file format. +Distrust information cannot be represented in this file format, +and distrusted certificates are missing from these files. +File cacerts contains CA certificates trusted for TLS server authentication. + +The directory /etc/pki/ca-trust/extracted/openssl/ contains +CA certificate bundle files in the extended BEGIN/END TRUSTED CERTIFICATE file format, +as described in the x509(1) manual page. +File ca-bundle.trust.crt contains the full set of all trusted +or distrusted certificates, including the associated trust flags. + +The directory /etc/pki/ca-trust/extracted/pem/ contains +CA certificate bundle files in the simple BEGIN/END CERTIFICATE file format, +as decribed in the x509(1) manual page. +Distrust information cannot be represented in this file format, +and distrusted certificates are missing from these files. +File tls-ca-bundle.pem contains CA certificates +trusted for TLS server authentication. +File email-ca-bundle.pem contains CA certificates +trusted for E-Mail protection. +File objsign-ca-bundle.pem contains CA certificates +trusted for code signing. + + +COMMANDS +-------- +(absent/empty command):: + Same as the *extract* command described below. (However, the command may + print fewer warnings, as this command is being run during rpm package + installation, where non-fatal status output is undesired.) + +*extract*:: + Instruct update-ca-trust to scan the <> and produce + updated versions of the consolidated configuration files stored below + the /etc/pki/ca-trust/extracted directory hierarchy. + +FILES +----- +/etc/pki/tls/certs/ca-bundle.crt:: + Legacy filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information. + If legacy support is disabled, this is a static file and will remain unchanged. + Only if the legacy support is enabled, this file is a symbolic link that refers to the consolidated output created by the update-ca-trust command. + +/etc/pki/tls/certs/ca-bundle.trust.crt:: + Legacy filename, file contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage. + If legacy support is disabled, this is a static file and will remain unchanged. + Only if the legacy support is enabled, this file is a symbolic link that refers to the consolidated output created by the update-ca-trust command. + +/etc/pki/java/cacerts:: + Legacy filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the Java keystore file format, without distrust information. + If legacy support is disabled, this is a static file and will remain unchanged. + Only if the legacy support is enabled, this file is a symbolic link that refers to the consolidated output created by the update-ca-trust command. + +/usr/share/pki/ca-trust-source:: + Contains multiple, low priority source configuration files as explained in section <>. Please pay attention to the specific meanings of the respective subdirectories. + +/etc/pki/ca-trust/source:: + Contains multiple, high priority source configuration files as explained in section <>. Please pay attention to the specific meanings of the respective subdirectories. + +/etc/pki/ca-trust/extracted:: + Contains consolidated and automatically generated configuration files for consumption by applications, + which are created using the 'update-ca-trust extract' command. Don't edit files in this directory, because they will be overwritten. + See section <> for additional details. + +AUTHOR +------ +Written by Kai Engert and Stef Walter.