Feature changed by: Stefan Behlert (sbehlert)
Feature #315592, revision 11
- Title: retire /etc/ssl/certs as r/w for admins
+ Title: [RN] retire /etc/ssl/certs as r/w for admins
Requested by: Ludwig Nussel (lnussel)
Partner organization: openSUSE.org
Since the introduction of update-ca-certificates in openSUSE 11.2
/etc/ssl/certs has been an automatically managed location for SSL
certificates. Adminstrators are no longer meant to put their own files
there but instead have update-ca-certificates install symlinks to the
actual files there.
Having scripts regularly mess with /etc is ugly. Therefore placing
individual symlinks in /etc/ssl/certs needs to be retired.
/etc/ssl/certs should point to a location in /var instead. This could
either be done with a symlink or with a bind mount.
+ Documentation Impact:
#3: Marcus Meissner (msmeissn) (2014-07-30 14:51:18)
as we imported this change from openSUSE Factory, we should
appropriately document it with release notes.
Release Notes: Change of default locations for root certificates
So far /etc/ssl/certs or even a shared bundle in /etc/ssl/certs/ca-
bundle.pem was used for the root certificates.
Usage of this directory was not always consistent and well defined and
also missed things.
A new location is now used to store trusted certificates,
/usr/share/pki/trust/anchors/ and /etc/pki/trust/anchors/ for the root
/usr/share/pki/trist/blacklist/ and /etc/pki/trust/blacklist/ for
A helper tool called "update-ca-certificates" is used to distribute
changes from this directory to common locations, /var/lib/ca-
certificates/pem /var/lib/ca-certificates/openssl /var/lib/ca-
/etc/ssl/certs now links to /var/lib/ca-certificates/pem
Put your local changed CA certificates into /etc/pki/trust/anchors/ and
run the update-ca-certificates tool to make them known.