Feature changed by: Stefan Knorr (stfnknorr) Feature #315592, revision 21 Title: [RN] retire /etc/ssl/certs as r/w for admins openSUSE Distribution: Done Priority Requester: Desirable Requested by: Ludwig Nussel (lnussel) Partner organization: openSUSE.org Description: Since the introduction of update-ca-certificates in openSUSE 11.2 /etc/ssl/certs has been an automatically managed location for SSL certificates. Adminstrators are no longer meant to put their own files there but instead have update-ca-certificates install symlinks to the actual files there. Having scripts regularly mess with /etc is ugly. Therefore placing individual symlinks in /etc/ssl/certs needs to be retired. /etc/ssl/certs should point to a location in /var instead. This could either be done with a symlink or with a bind mount. Discussion: #3: Marcus Meissner (msmeissn) (2014-07-30 14:51:18) as we imported this change from openSUSE Factory, we should appropriately document it with release notes. Release Notes: Change of Default Locations for Root Certificates Challenge: Using /etc/ssl/certs or even a single bundle file to store SSL root certificates makes it impossible to separate package and administrator provided files. Package updates would therefore either not actually update the certificate store or overwrite administrator changes. Solution: A new location is now used to store trusted certificates: * /usr/share/pki/trust/anchors/ and /etc/pki/trust/anchors/ for the root CA certificates - * /usr/share/pki/trist/blacklist/ and /etc/pki/trust/blacklist/ for + * /usr/share/pki/trust/blacklist/ and /etc/pki/trust/blacklist/ for blacklisted certificates A helper tool called "update-ca-certificates" is used to propagate the content of those directories to the certificate stores used by openssl, gnutls, and openjdk. /etc/ssl/certs links to an implementation-specific location managed by p11-kit. It must not be used by the administrator anymore. Administrators must put local CA certificates into /etc/pki/trust/anchors/ instead and run the update-ca-certificates tool to propagate the certificates to the various certificate stores. -- openSUSE Feature: https://features.opensuse.org/315592