Feature changed by: Ludwig Nussel (lnussel) Feature #315592, revision 12 Title: [RN] retire /etc/ssl/certs as r/w for admins Requested by: Ludwig Nussel (lnussel) Partner organization: openSUSE.org Description: Since the introduction of update-ca-certificates in openSUSE 11.2 /etc/ssl/certs has been an automatically managed location for SSL certificates. Adminstrators are no longer meant to put their own files there but instead have update-ca-certificates install symlinks to the actual files there. Having scripts regularly mess with /etc is ugly. Therefore placing individual symlinks in /etc/ssl/certs needs to be retired. /etc/ssl/certs should point to a location in /var instead. This could either be done with a symlink or with a bind mount. Documentation Impact: RN Discussion: #3: Marcus Meissner (msmeissn) (2014-07-30 14:51:18) as we imported this change from openSUSE Factory, we should appropriately document it with release notes. Release Notes: Change of default locations for root certificates Challenge: - So far /etc/ssl/certs or even a shared bundle in /etc/ssl/certs/ca- - bundle.pem was used for the root certificates. - Usage of this directory was not always consistent and well defined and - also missed things. + Using /etc/ssl/certs or even a single bundle file to store SSL root + certificates makes it impossible to separate package and administrator + provided files. + Package updates would therefore either not actually update the + certificate store or overwrite administrator changes Solution: A new location is now used to store trusted certificates, /usr/share/pki/trust/anchors/ and /etc/pki/trust/anchors/ for the root CA certificates /usr/share/pki/trist/blacklist/ and /etc/pki/trust/blacklist/ for blacklisted certificates - A helper tool called "update-ca-certificates" is used to distribute - changes from this directory to common locations, /var/lib/ca- - certificates/pem /var/lib/ca-certificates/openssl /var/lib/ca- - certificates/java-cacerts /var/lib/ca-certificates/ca-bundle.epm - /etc/ssl/certs now links to /var/lib/ca-certificates/pem - Put your local changed CA certificates into /etc/pki/trust/anchors/ and - run the update-ca-certificates tool to make them known. + A helper tool called "update-ca-certificates" is used to propagate the + content of those directories to the certificate stores used by openssl, + gnutls and openjdk + /etc/ssl/certs links to an implemention specific location managed by + p11-kit. It must not be used by the admin anymore + Administrators need to put local CA certificates into + /etc/pki/trust/anchors/ instead and run the update-ca-certificates tool + to propagate the certificates to the various certificate stores -- openSUSE Feature: https://features.opensuse.org/315592