06.05.2016 21:20, Yamaban пишет:
On Fri, 6 May 2016 20:02, Wolfgang Rosenauer wrote:
Hi,
Am 06.05.2016 um 18:38 schrieb Darin Perusich:
/etc/ssl/certs is depreciated and is now a softlink to /var/lib/ca-certificates/pem, updates will not clobber any files you place underneath it.
For testing I have no copied the intermediate certs I need for my cert into /etc/ssl/certs
Also, after installing your certificates into either of the aforementioned locations you should run update-ca-certificates to create the openssl subject hash for your CA certificates.
after running update-ca-certificates the copied file was gone.
Therefore no, updates _will_ clobber any files I place in /etc/ssl/certs. So where to place them instead?
Urgs! (Circular Reasoning leads to nothing.)
NEW Location (dir): "/etc/pki/trust/anchors/"
INFO: "tail /usr/lib/ca-certificates/update.d/80etc_ssl.run" Found by reading "/usr/sbin/update-ca-certificates"
Oh, oh, this seems to finally became completely confusing ... So some points. 1. update-ca-certificates is for management of CA certificates *ONLY*. It is *NOT* for managing your own server certificates. 2. /var/lib/ca-certificates/pem is maintained by update-ca-certificates and always contains copy of *CA* certificates known to pk11-kit. Any extra content is removed from there. Placing *server* certificate in this directory makes no sense. 3. If /etc/ssl/certs is not link to /var/lib/ca-certificates/pem, update-ca-certs places links to individual files in /var/lib/ca-certificates/pem in this directory. In this case extra content is not removed (unless it is a dangling link). Once again. this directory is for *CA* certificates *only*. 4. The source for /var/lib/ca-certificates/pem is indeed /usr/share/pkg or /etc/pki. Should I once more repeat, this is for CA certificates only? 5. Finally /var/lib/ca-certifcates/pem is not used by itself by anything; it exists only as target for links in /etc/ssl/certs. And only applications that actually use /etc/ssl/certs directory will be affected. Obligatory note - only CA certificates here ... Now, when creating self-signed certificate, this certificate actually serves as both CA and server. So you /may/ install this certificate in /etc/pki/anchors and run update-ca-certificates; but you *still* need to a) configure your application to use one of central locations (managed by update-ca-certificates) to look up CA certificates; b) install generated certificate (both private and public part) in location accessible to your application as server certificate. For the latter no "standard" place really exist. It is completely up to you to manage them. If you use YaST module for LDAP server configuration, it will add ACLs on private part (i.e. key) but you still must make sure that path is accessible to ldap user. It may be possible to use common server certificate; YaST installs it into /etc/ssl/servercert. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org