Feature changed by: Ludwig Nussel (lnussel) Feature #314991, revision 8 Title: system ca certificates based on p11-kit Requested by: Ludwig Nussel (lnussel) Partner organization: openSUSE.org Description: openSUSE should use p11-kit as primary tool for ca-certificate management. 1. define directory where to store ca certificates. Currently we use subdirs of /usr/share/ca-certificates. p11-kit likes to have all in one directory called 'ancors'. Fedora chose /usr/share/pki/ca-trust-source. 2. make update-ca-certificates call p11- kit to generate the compat bundles. 3. patch openssl, nss, gnutls to directly use p11-kit via library instead of relying on generated directories. More info about the implementation in Fedora: https://fedoraproject.org/wiki/Features/SharedSystemCertificates https://fedoraproject.org/wiki/Features/SharedSystemCertificates:SubTasks Discussion: #1: Ludwig Nussel (lnussel) (2013-06-20 14:33:28) I've prepared packages in home:lnussel:branches:Base:System. Currently pending feedback from upstream wrt file system locations. Fedora chose /etc/pki/ca-trust/source and /usr/share/pki/ca-trust-source for which I am not too happy about. I'd prefer /usr/share/pki/trust and /etc/pki/trust (or ca-trust, but without the "source"). They also put generated files /etc which I will not do. Generated file have to go to /var/lib/ca-certificates. #2: Ludwig Nussel (lnussel) (2013-06-21 14:54:25) First round submitted to Factory. Next step would be to replace the mozilla-nss-certs package. #3: Ludwig Nussel (lnussel) (2013-07-05 09:55:08) - mozilla-nss-certs can now be replaced by p11-kit-nss-trust - gnutls uses pkcs11 as trust store - openssl no longer reads /etc/ssl/certs + #4: Ludwig Nussel (lnussel) (2013-08-07 10:57:48) + Done. gnutls had to switch back to using a directly though as it doesnt + honor the trust flags yet. -- openSUSE Feature: https://features.opensuse.org/314991