Feature changed by: Marcus Meissner (msmeissn) Feature #315592, revision 10 Title: retire /etc/ssl/certs as r/w for admins Requested by: Ludwig Nussel (lnussel) Partner organization: openSUSE.org Description: Since the introduction of update-ca-certificates in openSUSE 11.2 /etc/ssl/certs has been an automatically managed location for SSL certificates. Adminstrators are no longer meant to put their own files there but instead have update-ca-certificates install symlinks to the actual files there. Having scripts regularly mess with /etc is ugly. Therefore placing individual symlinks in /etc/ssl/certs needs to be retired. /etc/ssl/certs should point to a location in /var instead. This could either be done with a symlink or with a bind mount. Discussion: #3: Marcus Meissner (msmeissn) (2014-07-30 14:51:18) as we imported this change from openSUSE Factory, we should appropriately document it with release notes. + Release Notes: Change of default locations for root certificates + Challenge: + So far /etc/ssl/certs or even a shared bundle in /etc/ssl/certs/ca- + bundle.pem was used for the root certificates. + Usage of this directory was not always consistent and well defined and + also missed things. + Solution: + A new location is now used to store trusted certificates, + /usr/share/pki/trust/anchors/ and /etc/pki/trust/anchors/ for the root + CA certificates + /usr/share/pki/trist/blacklist/ and /etc/pki/trust/blacklist/ for + blacklisted certificates + A helper tool called "update-ca-certificates" is used to distribute + changes from this directory to common locations, /var/lib/ca- + certificates/pem /var/lib/ca-certificates/openssl /var/lib/ca- + certificates/java-cacerts /var/lib/ca-certificates/ca-bundle.epm + /etc/ssl/certs now links to /var/lib/ca-certificates/pem + Put your local changed CA certificates into /etc/pki/trust/anchors/ and + run the update-ca-certificates tool to make them known. -- openSUSE Feature: https://features.opensuse.org/315592