Feature changed by: Ludwig Nussel (lnussel) Feature #314991, revision 2 Title: system ca certificates based on p11-kit openSUSE Distribution: Unconfirmed Priority Requester: Important Requested by: Ludwig Nussel (lnussel) Partner organization: openSUSE.org Description: openSUSE should use p11-kit as primary tool for ca-certificate management. 1. define directory where to store ca certificates. Currently we use subdirs of /usr/share/ca-certificates. p11-kit likes to have all in one directory called 'ancors'. Fedora chose /usr/share/pki/ca-trust-source. 2. make update-ca-certificates call p11- kit to generate the compat bundles. 3. patch openssl, nss, gnutls to directly use p11-kit via library instead of relying on generated directories. More info about the implementation in Fedora: https://fedoraproject.org/wiki/Features/SharedSystemCertificates https://fedoraproject.org/wiki/Features/SharedSystemCertificates:SubTasks + Discussion: + #1: Ludwig Nussel (lnussel) (2013-06-20 14:33:28) + I've prepared packages in home:lnussel:branches:Base:System. Currently + pending feedback from upstream wrt file system locations. Fedora chose + /etc/pki/ca-trust/source and /usr/share/pki/ca-trust-source for which I + am not too happy about. I'd prefer /usr/share/pki/trust and + /etc/pki/trust (or ca-trust, but without the "source"). They also put + generated files /etc which I will not do. Generated file have to go to + /var/lib/ca-certificates. -- openSUSE Feature: https://features.opensuse.org/314991

Feature changed by: Ludwig Nussel (lnussel) Feature #314991, revision 4 Title: system ca certificates based on p11-kit openSUSE Distribution: Implementation Priority Requester: Important Requested by: Ludwig Nussel (lnussel) Partner organization: openSUSE.org Description: openSUSE should use p11-kit as primary tool for ca-certificate management. 1. define directory where to store ca certificates. Currently we use subdirs of /usr/share/ca-certificates. p11-kit likes to have all in one directory called 'ancors'. Fedora chose /usr/share/pki/ca-trust-source. 2. make update-ca-certificates call p11- kit to generate the compat bundles. 3. patch openssl, nss, gnutls to directly use p11-kit via library instead of relying on generated directories. More info about the implementation in Fedora: https://fedoraproject.org/wiki/Features/SharedSystemCertificates https://fedoraproject.org/wiki/Features/SharedSystemCertificates:SubTasks Discussion: #1: Ludwig Nussel (lnussel) (2013-06-20 14:33:28) I've prepared packages in home:lnussel:branches:Base:System. Currently pending feedback from upstream wrt file system locations. Fedora chose /etc/pki/ca-trust/source and /usr/share/pki/ca-trust-source for which I am not too happy about. I'd prefer /usr/share/pki/trust and /etc/pki/trust (or ca-trust, but without the "source"). They also put generated files /etc which I will not do. Generated file have to go to /var/lib/ca-certificates. + #2: Ludwig Nussel (lnussel) (2013-06-21 14:54:25) + First round submitted to Factory. Next step would be to replace the + mozilla-nss-certs package. -- openSUSE Feature: https://features.opensuse.org/314991

Feature changed by: Ludwig Nussel (lnussel) Feature #314991, revision 7 Title: system ca certificates based on p11-kit Requested by: Ludwig Nussel (lnussel) Partner organization: openSUSE.org Description: openSUSE should use p11-kit as primary tool for ca-certificate management. 1. define directory where to store ca certificates. Currently we use subdirs of /usr/share/ca-certificates. p11-kit likes to have all in one directory called 'ancors'. Fedora chose /usr/share/pki/ca-trust-source. 2. make update-ca-certificates call p11- kit to generate the compat bundles. 3. patch openssl, nss, gnutls to directly use p11-kit via library instead of relying on generated directories. More info about the implementation in Fedora: https://fedoraproject.org/wiki/Features/SharedSystemCertificates https://fedoraproject.org/wiki/Features/SharedSystemCertificates:SubTasks Discussion: #1: Ludwig Nussel (lnussel) (2013-06-20 14:33:28) I've prepared packages in home:lnussel:branches:Base:System. Currently pending feedback from upstream wrt file system locations. Fedora chose /etc/pki/ca-trust/source and /usr/share/pki/ca-trust-source for which I am not too happy about. I'd prefer /usr/share/pki/trust and /etc/pki/trust (or ca-trust, but without the "source"). They also put generated files /etc which I will not do. Generated file have to go to /var/lib/ca-certificates. #2: Ludwig Nussel (lnussel) (2013-06-21 14:54:25) First round submitted to Factory. Next step would be to replace the mozilla-nss-certs package. + #3: Ludwig Nussel (lnussel) (2013-07-05 09:55:08) + - mozilla-nss-certs can now be replaced by p11-kit-nss-trust - gnutls + uses pkcs11 as trust store - openssl no longer reads /etc/ssl/certs -- openSUSE Feature: https://features.opensuse.org/314991

Feature changed by: Karl Cheng (qantas94heavy) Feature #314991, revision 9 Title: system ca certificates based on p11-kit + openSUSE Distribution: Done + Priority + Requester: Desirable Requested by: Ludwig Nussel (lnussel) Partner organization: openSUSE.org Description: openSUSE should use p11-kit as primary tool for ca-certificate management. 1. define directory where to store ca certificates. Currently we use subdirs of /usr/share/ca-certificates. p11-kit likes to have all in one directory called 'ancors'. Fedora chose /usr/share/pki/ca-trust-source. 2. make update-ca-certificates call p11- kit to generate the compat bundles. 3. patch openssl, nss, gnutls to directly use p11-kit via library instead of relying on generated directories. More info about the implementation in Fedora: https://fedoraproject.org/wiki/Features/SharedSystemCertificates https://fedoraproject.org/wiki/Features/SharedSystemCertificates:SubTasks Discussion: #1: Ludwig Nussel (lnussel) (2013-06-20 14:33:28) I've prepared packages in home:lnussel:branches:Base:System. Currently pending feedback from upstream wrt file system locations. Fedora chose /etc/pki/ca-trust/source and /usr/share/pki/ca-trust-source for which I am not too happy about. I'd prefer /usr/share/pki/trust and /etc/pki/trust (or ca-trust, but without the "source"). They also put generated files /etc which I will not do. Generated file have to go to /var/lib/ca-certificates. #2: Ludwig Nussel (lnussel) (2013-06-21 14:54:25) First round submitted to Factory. Next step would be to replace the mozilla-nss-certs package. #3: Ludwig Nussel (lnussel) (2013-07-05 09:55:08) - mozilla-nss-certs can now be replaced by p11-kit-nss-trust - gnutls uses pkcs11 as trust store - openssl no longer reads /etc/ssl/certs #4: Ludwig Nussel (lnussel) (2013-08-07 10:57:48) Done. gnutls had to switch back to using a directly though as it doesnt honor the trust flags yet. -- openSUSE Feature: https://features.opensuse.org/314991