Feature changed by: Stefan Behlert (sbehlert) Feature #315592, revision 11 - Title: retire /etc/ssl/certs as r/w for admins + Title: [RN] retire /etc/ssl/certs as r/w for admins Requested by: Ludwig Nussel (lnussel) Partner organization: openSUSE.org Description: Since the introduction of update-ca-certificates in openSUSE 11.2 /etc/ssl/certs has been an automatically managed location for SSL certificates. Adminstrators are no longer meant to put their own files there but instead have update-ca-certificates install symlinks to the actual files there. Having scripts regularly mess with /etc is ugly. Therefore placing individual symlinks in /etc/ssl/certs needs to be retired. /etc/ssl/certs should point to a location in /var instead. This could either be done with a symlink or with a bind mount. + Documentation Impact: + RN Discussion: #3: Marcus Meissner (msmeissn) (2014-07-30 14:51:18) as we imported this change from openSUSE Factory, we should appropriately document it with release notes. Release Notes: Change of default locations for root certificates Challenge: So far /etc/ssl/certs or even a shared bundle in /etc/ssl/certs/ca- bundle.pem was used for the root certificates. Usage of this directory was not always consistent and well defined and also missed things. Solution: A new location is now used to store trusted certificates, /usr/share/pki/trust/anchors/ and /etc/pki/trust/anchors/ for the root CA certificates /usr/share/pki/trist/blacklist/ and /etc/pki/trust/blacklist/ for blacklisted certificates A helper tool called "update-ca-certificates" is used to distribute changes from this directory to common locations, /var/lib/ca- certificates/pem /var/lib/ca-certificates/openssl /var/lib/ca- certificates/java-cacerts /var/lib/ca-certificates/ca-bundle.epm /etc/ssl/certs now links to /var/lib/ca-certificates/pem Put your local changed CA certificates into /etc/pki/trust/anchors/ and run the update-ca-certificates tool to make them known. -- openSUSE Feature: https://features.opensuse.org/315592