Feature changed by: Karl Cheng (qantas94heavy)
Feature #315592, revision 20
Title: [RN] retire /etc/ssl/certs as r/w for admins
+ openSUSE Distribution: Done
+ Requester: Desirable
Requested by: Ludwig Nussel (lnussel)
Partner organization: openSUSE.org
Since the introduction of update-ca-certificates in openSUSE 11.2
/etc/ssl/certs has been an automatically managed location for SSL
certificates. Adminstrators are no longer meant to put their own files
there but instead have update-ca-certificates install symlinks to the
actual files there.
Having scripts regularly mess with /etc is ugly. Therefore placing
individual symlinks in /etc/ssl/certs needs to be retired.
/etc/ssl/certs should point to a location in /var instead. This could
either be done with a symlink or with a bind mount.
#3: Marcus Meissner (msmeissn) (2014-07-30 14:51:18)
as we imported this change from openSUSE Factory, we should
appropriately document it with release notes.
Release Notes: Change of Default Locations for Root Certificates
Using /etc/ssl/certs or even a single bundle file to store SSL root
certificates makes it impossible to separate package and administrator
provided files. Package updates would therefore either not actually
update the certificate store or overwrite administrator changes.
A new location is now used to store trusted certificates:
* /usr/share/pki/trust/anchors/ and /etc/pki/trust/anchors/ for the
root CA certificates
* /usr/share/pki/trist/blacklist/ and /etc/pki/trust/blacklist/ for
A helper tool called "update-ca-certificates" is used to propagate the
content of those directories to the certificate stores used by openssl,
gnutls, and openjdk.
/etc/ssl/certs links to an implementation-specific location managed by
p11-kit. It must not be used by the administrator anymore.
Administrators must put local CA certificates into
/etc/pki/trust/anchors/ instead and run the update-ca-certificates tool
to propagate the certificates to the various certificate stores.