[Bug 918944] New: update-ca-certificates does not add a private CA certificate to system wide certificate store as documented
http://bugzilla.opensuse.org/show_bug.cgi?id=918944 Bug ID: 918944 Summary: update-ca-certificates does not add a private CA certificate to system wide certificate store as documented Classification: openSUSE Product: openSUSE Distribution Version: 13.2 Hardware: x86-64 OS: openSUSE 13.2 Status: NEW Severity: Major Priority: P5 - None Component: Basesystem Assignee: bnc-team-screening@forge.provo.novell.com Reporter: bockhold@cmab.de QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0 Build Identifier: Documentation under /usr/share/doc/packages/ca-certificates/README tells me to copy my private CA certificate to /etc/pki/trust and then run /usr/sbin/update-ca-certificates to add my certificate to the system wide certificate store. Even run with --verbose the script does not add the certificate to any store and does not show any signs of error or success. My CA obviously is not added as for example the LDAP-client cannot validate the server-side certificate signed by this CA. Reproducible: Always Steps to Reproduce: 1. create a CA, export the CA-certificate to your client on the client: 2. cp mycacrt.pem /etc/pki/trust/mycacrt.pem 3. update-ca-certificates --verbose Actual Results: Output: running /usr/lib/ca-certificates/update.d/50java.run ... creating /var/lib/ca-certificates/java-cacerts ... running /usr/lib/ca-certificates/update.d/70openssl.run ... creating /var/lib/ca-certificates/openssl ... running /usr/lib/ca-certificates/update.d/80etc_ssl.run ... running /usr/lib/ca-certificates/update.d/99certbundle.run ... creating /var/lib/ca-certificates/ca-bundle.pem ... Expected Results: Show that a new certificate is found. Add it to the system wide certificate store. Print a corresponding message to console as to inform user. Problem is reproducible on any openSUSE client. Debian client works like a charm with cp mycacert.pem /usr/local/share/ca-certificates/mycacert.pem && update-ca-certificates. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=918944
Martin Pluskal
http://bugzilla.opensuse.org/show_bug.cgi?id=918944
Bernhard Wiedemann
http://bugzilla.opensuse.org/show_bug.cgi?id=918944
Marcus Meissner
http://bugzilla.opensuse.org/show_bug.cgi?id=918944
--- Comment #2 from Ludwig Nussel
The anchors subdirectory is for regular pem files, the directory one above for pem files in openssl's 'trusted' format.
-- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=918944
Andreas Bockhold
http://bugzilla.opensuse.org/show_bug.cgi?id=918944
--- Comment #4 from Ludwig Nussel
There's no difference:
# cp mycacrt.pem /etc/pki/trust/mycacrt.pem # cp mycacrt.pem /etc/pki/trust/anchor/mycacrt.pem ^s
-- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=918944
--- Comment #5 from Andreas Bockhold
http://bugzilla.opensuse.org/show_bug.cgi?id=918944
--- Comment #6 from Ludwig Nussel
http://bugzilla.opensuse.org/show_bug.cgi?id=918944
Ludwig Nussel
http://bugzilla.opensuse.org/show_bug.cgi?id=918944
Ludwig Nussel
http://bugzilla.opensuse.org/show_bug.cgi?id=918944
http://bugzilla.opensuse.org/show_bug.cgi?id=918944#c10
Uwe Geuder
participants (1)
-
bugzilla_noreply@novell.com