diff --git a/ca-certificates.spec b/ca-certificates.spec index 43ab935..10f2060 100644 --- a/ca-certificates.spec +++ b/ca-certificates.spec @@ -27,7 +27,7 @@ Name: ca-certificates # because all future versions will start with 2013 or larger.) Version: 2013.1.94 -Release: 16%{?dist} +Release: 17%{?dist} License: Public Domain Group: System Environment/Base @@ -286,6 +286,9 @@ fi %changelog +* Tue Sep 03 2013 Kai Engert - 2013.1.94-17 +- merge manual improvement from f19 + * Sat Aug 03 2013 Fedora Release Engineering - 2013.1.94-16 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild diff --git a/update-ca-trust.8.txt b/update-ca-trust.8.txt index 24ca456..3a21f87 100644 --- a/update-ca-trust.8.txt +++ b/update-ca-trust.8.txt @@ -33,23 +33,26 @@ SYNOPSIS DESCRIPTION ----------- update-ca-trust(8) is used to manage a consolidated and dynamic configuration -feature of CA certificates and associated trust. +feature of Certificate Authority (CA) certificates and associated trust. -The feature is available for any new applications that read the +The feature is available for new applications that read the consolidated configuration files found in the /etc/pki/ca-trust/extracted directory or that load the PKCS#11 module p11-kit-trust.so Parts of the new feature are also provided in a way to make it useful -by legacy applications. +for legacy applications. Many legacy applications expect CA certificates and trust configuration in a fixed location, contained in files with particular path and name, -or by referring to a specific legacy PKCS#11 trust module provided by the +or by referring to a classic PKCS#11 trust module provided by the NSS cryptographic library. -In order to enable legacy applications, that read the legacy files or -legacy module, to make use of the new consolidated and dynamic configuration -feature, the legacy filenames have been changed to symbolic links. +The dynamic configuration feature provides functionally compatible replacements +for classic configuration files and for the classic NSS trust module named libnssckbi. + +In order to enable legacy applications, that read the classic files or +access the classic module, to make use of the new consolidated and dynamic configuration +feature, the classic filenames have been changed to symbolic links. The symbolic links refer to dynamically created and consolidated output stored below the /etc/pki/ca-trust/extracted directory hierarchy. @@ -58,8 +61,8 @@ or using the 'update-ca-trust extract' command. In order to produce the output, a flexible set of source configuration is read, as described in section <>. -In addition, the static legacy PKCS#11 module -is replaced by a new PKCS#11 module (p11-kit-trust.so) that dynamically +In addition, the classic PKCS#11 module +is replaced with a new PKCS#11 module (p11-kit-trust.so) that dynamically reads the same source configuration. @@ -147,7 +150,7 @@ directories or in any of their subdirectories, or after adding a file, it is necessary to run the 'update-ca-trust extract' command, in order to update the consolidated files in /etc/pki/ca-trust/extracted/ . -Applications that load the legacy PKCS#11 module using filename libnssckbi.so +Applications that load the classic PKCS#11 module using filename libnssckbi.so (which has been converted into a symbolic link pointing to the new module) and any application capable of loading PKCS#11 modules and loading p11-kit-trust.so, will benefit from @@ -215,15 +218,15 @@ COMMANDS FILES ----- /etc/pki/tls/certs/ca-bundle.crt:: - Legacy filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information. + Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information. This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command. /etc/pki/tls/certs/ca-bundle.trust.crt:: - Legacy filename, file contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage. + Classic filename, file contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage. This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command. /etc/pki/java/cacerts:: - Legacy filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the Java keystore file format, without distrust information. + Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the Java keystore file format, without distrust information. This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command. /usr/share/pki/ca-trust-source::