Feature changed by: Ludwig Nussel (lnussel) Feature #314991, revision 3 Title: system ca certificates based on p11-kit - openSUSE Distribution: Unconfirmed + openSUSE Distribution: Implementation Priority Requester: Important Requested by: Ludwig Nussel (lnussel) Partner organization: openSUSE.org Description: openSUSE should use p11-kit as primary tool for ca-certificate management. 1. define directory where to store ca certificates. Currently we use subdirs of /usr/share/ca-certificates. p11-kit likes to have all in one directory called 'ancors'. Fedora chose /usr/share/pki/ca-trust-source. 2. make update-ca-certificates call p11- kit to generate the compat bundles. 3. patch openssl, nss, gnutls to directly use p11-kit via library instead of relying on generated directories. More info about the implementation in Fedora: https://fedoraproject.org/wiki/Features/SharedSystemCertificates https://fedoraproject.org/wiki/Features/SharedSystemCertificates:SubTasks Discussion: #1: Ludwig Nussel (lnussel) (2013-06-20 14:33:28) I've prepared packages in home:lnussel:branches:Base:System. Currently pending feedback from upstream wrt file system locations. Fedora chose /etc/pki/ca-trust/source and /usr/share/pki/ca-trust-source for which I am not too happy about. I'd prefer /usr/share/pki/trust and /etc/pki/trust (or ca-trust, but without the "source"). They also put generated files /etc which I will not do. Generated file have to go to /var/lib/ca-certificates. -- openSUSE Feature: https://features.opensuse.org/314991