Feature changed by: Karl Eichwalder (keichwa)
Feature #315592, revision 16
Title: [RN] retire /etc/ssl/certs as r/w for admins
Requested by: Ludwig Nussel (lnussel)
Partner organization: openSUSE.org
Since the introduction of update-ca-certificates in openSUSE 11.2
/etc/ssl/certs has been an automatically managed location for SSL
certificates. Adminstrators are no longer meant to put their own files
there but instead have update-ca-certificates install symlinks to the
actual files there.
Having scripts regularly mess with /etc is ugly. Therefore placing
individual symlinks in /etc/ssl/certs needs to be retired.
/etc/ssl/certs should point to a location in /var instead. This could
either be done with a symlink or with a bind mount.
#3: Marcus Meissner (msmeissn) (2014-07-30 14:51:18)
as we imported this change from openSUSE Factory, we should
appropriately document it with release notes.
- Release Notes: Change of default locations for root certificates
+ Release Notes: Change of Default Locations for Root Certificates
Using /etc/ssl/certs or even a single bundle file to store SSL root
certificates makes it impossible to separate package and administrator
- provided files.
- Package updates would therefore either not actually update the
- certificate store or overwrite administrator changes
+ provided files. Package updates would therefore either not actually
+ update the certificate store or overwrite administrator changes.
- A new location is now used to store trusted certificates,
- /usr/share/pki/trust/anchors/ and /etc/pki/trust/anchors/ for the root
- CA certificates
- /usr/share/pki/trist/blacklist/ and /etc/pki/trust/blacklist/ for
+ A new location is now used to store trusted certificates:
+ * /usr/share/pki/trust/anchors/ and /etc/pki/trust/anchors/ for the
+ root CA certificates
+ * /usr/share/pki/trist/blacklist/ and /etc/pki/trust/blacklist/ for
A helper tool called "update-ca-certificates" is used to propagate the
content of those directories to the certificate stores used by openssl,
- gnutls and openjdk
+ gnutls, and openjdk.
/etc/ssl/certs links to an implemention specific location managed by
- p11-kit. It must not be used by the admin anymore
- Administrators need to put local CA certificates into
+ p11-kit. It must not be used by the admin anymore.
+ Administrators must put local CA certificates into
/etc/pki/trust/anchors/ instead and run the update-ca-certificates tool
- to propagate the certificates to the various certificate stores
+ to propagate the certificates to the various certificate stores.