Feature changed by: Marcus Meissner (msmeissn) Feature #315592, revision 9 Title: retire /etc/ssl/certs as r/w for admins Requested by: Ludwig Nussel (lnussel) Partner organization: openSUSE.org Description: Since the introduction of update-ca-certificates in openSUSE 11.2 /etc/ssl/certs has been an automatically managed location for SSL certificates. Adminstrators are no longer meant to put their own files there but instead have update-ca-certificates install symlinks to the actual files there. Having scripts regularly mess with /etc is ugly. Therefore placing individual symlinks in /etc/ssl/certs needs to be retired. /etc/ssl/certs should point to a location in /var instead. This could either be done with a symlink or with a bind mount. + Discussion: + #3: Marcus Meissner (msmeissn) (2014-07-30 14:51:18) + as we imported this change from openSUSE Factory, we should + appropriately document it with release notes. -- openSUSE Feature: https://features.opensuse.org/315592

Feature changed by: Stefan Behlert (sbehlert) Feature #315592, revision 11 - Title: retire /etc/ssl/certs as r/w for admins + Title: [RN] retire /etc/ssl/certs as r/w for admins Requested by: Ludwig Nussel (lnussel) Partner organization: openSUSE.org Description: Since the introduction of update-ca-certificates in openSUSE 11.2 /etc/ssl/certs has been an automatically managed location for SSL certificates. Adminstrators are no longer meant to put their own files there but instead have update-ca-certificates install symlinks to the actual files there. Having scripts regularly mess with /etc is ugly. Therefore placing individual symlinks in /etc/ssl/certs needs to be retired. /etc/ssl/certs should point to a location in /var instead. This could either be done with a symlink or with a bind mount. + Documentation Impact: + RN Discussion: #3: Marcus Meissner (msmeissn) (2014-07-30 14:51:18) as we imported this change from openSUSE Factory, we should appropriately document it with release notes. Release Notes: Change of default locations for root certificates Challenge: So far /etc/ssl/certs or even a shared bundle in /etc/ssl/certs/ca- bundle.pem was used for the root certificates. Usage of this directory was not always consistent and well defined and also missed things. Solution: A new location is now used to store trusted certificates, /usr/share/pki/trust/anchors/ and /etc/pki/trust/anchors/ for the root CA certificates /usr/share/pki/trist/blacklist/ and /etc/pki/trust/blacklist/ for blacklisted certificates A helper tool called "update-ca-certificates" is used to distribute changes from this directory to common locations, /var/lib/ca- certificates/pem /var/lib/ca-certificates/openssl /var/lib/ca- certificates/java-cacerts /var/lib/ca-certificates/ca-bundle.epm /etc/ssl/certs now links to /var/lib/ca-certificates/pem Put your local changed CA certificates into /etc/pki/trust/anchors/ and run the update-ca-certificates tool to make them known. -- openSUSE Feature: https://features.opensuse.org/315592

Feature changed by: Karl Eichwalder (keichwa) Feature #315592, revision 16 Title: [RN] retire /etc/ssl/certs as r/w for admins Requested by: Ludwig Nussel (lnussel) Partner organization: openSUSE.org Description: Since the introduction of update-ca-certificates in openSUSE 11.2 /etc/ssl/certs has been an automatically managed location for SSL certificates. Adminstrators are no longer meant to put their own files there but instead have update-ca-certificates install symlinks to the actual files there. Having scripts regularly mess with /etc is ugly. Therefore placing individual symlinks in /etc/ssl/certs needs to be retired. /etc/ssl/certs should point to a location in /var instead. This could either be done with a symlink or with a bind mount. Documentation Impact: RN Discussion: #3: Marcus Meissner (msmeissn) (2014-07-30 14:51:18) as we imported this change from openSUSE Factory, we should appropriately document it with release notes. - Release Notes: Change of default locations for root certificates + Release Notes: Change of Default Locations for Root Certificates Challenge: Using /etc/ssl/certs or even a single bundle file to store SSL root certificates makes it impossible to separate package and administrator - provided files. - Package updates would therefore either not actually update the - certificate store or overwrite administrator changes + provided files. Package updates would therefore either not actually + update the certificate store or overwrite administrator changes. Solution: - A new location is now used to store trusted certificates, - /usr/share/pki/trust/anchors/ and /etc/pki/trust/anchors/ for the root - CA certificates - /usr/share/pki/trist/blacklist/ and /etc/pki/trust/blacklist/ for + A new location is now used to store trusted certificates: + * /usr/share/pki/trust/anchors/ and /etc/pki/trust/anchors/ for the + root CA certificates + * /usr/share/pki/trist/blacklist/ and /etc/pki/trust/blacklist/ for blacklisted certificates A helper tool called "update-ca-certificates" is used to propagate the content of those directories to the certificate stores used by openssl, - gnutls and openjdk + gnutls, and openjdk. /etc/ssl/certs links to an implemention specific location managed by - p11-kit. It must not be used by the admin anymore - Administrators need to put local CA certificates into + p11-kit. It must not be used by the admin anymore. + Administrators must put local CA certificates into /etc/pki/trust/anchors/ instead and run the update-ca-certificates tool - to propagate the certificates to the various certificate stores + to propagate the certificates to the various certificate stores. -- openSUSE Feature: https://features.opensuse.org/315592

Feature changed by: Stefan Knorr (stfnknorr) Feature #315592, revision 19 Title: [RN] retire /etc/ssl/certs as r/w for admins Requested by: Ludwig Nussel (lnussel) Partner organization: openSUSE.org Description: Since the introduction of update-ca-certificates in openSUSE 11.2 /etc/ssl/certs has been an automatically managed location for SSL certificates. Adminstrators are no longer meant to put their own files there but instead have update-ca-certificates install symlinks to the actual files there. Having scripts regularly mess with /etc is ugly. Therefore placing individual symlinks in /etc/ssl/certs needs to be retired. /etc/ssl/certs should point to a location in /var instead. This could either be done with a symlink or with a bind mount. Discussion: #3: Marcus Meissner (msmeissn) (2014-07-30 14:51:18) as we imported this change from openSUSE Factory, we should appropriately document it with release notes. Release Notes: Change of Default Locations for Root Certificates Challenge: Using /etc/ssl/certs or even a single bundle file to store SSL root certificates makes it impossible to separate package and administrator provided files. Package updates would therefore either not actually update the certificate store or overwrite administrator changes. Solution: A new location is now used to store trusted certificates: * /usr/share/pki/trust/anchors/ and /etc/pki/trust/anchors/ for the root CA certificates * /usr/share/pki/trist/blacklist/ and /etc/pki/trust/blacklist/ for blacklisted certificates A helper tool called "update-ca-certificates" is used to propagate the content of those directories to the certificate stores used by openssl, gnutls, and openjdk. - /etc/ssl/certs links to an implemention specific location managed by - p11-kit. It must not be used by the admin anymore. + /etc/ssl/certs links to an implementation-specific location managed by + p11-kit. It must not be used by the administrator anymore. Administrators must put local CA certificates into /etc/pki/trust/anchors/ instead and run the update-ca-certificates tool to propagate the certificates to the various certificate stores. -- openSUSE Feature: https://features.opensuse.org/315592

Feature changed by: Stefan Knorr (stfnknorr) Feature #315592, revision 21 Title: [RN] retire /etc/ssl/certs as r/w for admins openSUSE Distribution: Done Priority Requester: Desirable Requested by: Ludwig Nussel (lnussel) Partner organization: openSUSE.org Description: Since the introduction of update-ca-certificates in openSUSE 11.2 /etc/ssl/certs has been an automatically managed location for SSL certificates. Adminstrators are no longer meant to put their own files there but instead have update-ca-certificates install symlinks to the actual files there. Having scripts regularly mess with /etc is ugly. Therefore placing individual symlinks in /etc/ssl/certs needs to be retired. /etc/ssl/certs should point to a location in /var instead. This could either be done with a symlink or with a bind mount. Discussion: #3: Marcus Meissner (msmeissn) (2014-07-30 14:51:18) as we imported this change from openSUSE Factory, we should appropriately document it with release notes. Release Notes: Change of Default Locations for Root Certificates Challenge: Using /etc/ssl/certs or even a single bundle file to store SSL root certificates makes it impossible to separate package and administrator provided files. Package updates would therefore either not actually update the certificate store or overwrite administrator changes. Solution: A new location is now used to store trusted certificates: * /usr/share/pki/trust/anchors/ and /etc/pki/trust/anchors/ for the root CA certificates - * /usr/share/pki/trist/blacklist/ and /etc/pki/trust/blacklist/ for + * /usr/share/pki/trust/blacklist/ and /etc/pki/trust/blacklist/ for blacklisted certificates A helper tool called "update-ca-certificates" is used to propagate the content of those directories to the certificate stores used by openssl, gnutls, and openjdk. /etc/ssl/certs links to an implementation-specific location managed by p11-kit. It must not be used by the administrator anymore. Administrators must put local CA certificates into /etc/pki/trust/anchors/ instead and run the update-ca-certificates tool to propagate the certificates to the various certificate stores. -- openSUSE Feature: https://features.opensuse.org/315592