On Mon, May 14, 2012 at 09:08:50AM -0400, Carl Hartung wrote:
On Mon, 14 May 2012 06:32:25 -0400 Adam Tauno Williams <awilliam@whitemice.org> wrote:
On Mon, 2012-05-14 at 07:48 +0200, Per Jessen wrote:
There is another experimental feature rolled out in openSUSE to make controlling the system wide cert store easier. But it's neither really documented clearly nor fully tested. I always wanted to do that but there are always other things to do. If people are interested I can send over the initial document how to work with it and it could be completed and tested along the way Dunno about people, but I'd like to know more. :-)
+1
The documentation around the whole area of certificate management is *DREADFUL* and *LACKING*. Please contribute anything you have, however fragmentary, to the interwebz.
Certificate deployment & management is an administrative nightmware. Various applications and even development environments each hoe-their-own-row. And the tool chain is almost non-existent. Applications like TinyCA and Gnomint just languish.
^--- two profoundly true statements! +1
I'll stay in the loop and contribute where I can. Thanks for the offer, Wolfgang ... and for participating in this thread, everybody else! <thumbs up!>
For the root certificate management part we have unified the non-mozilla-nss users quite much over the last years. The packages to look for are named "ca-*" where we have tools: ca-certificates This package manages the root ca subsets and contains the tools necessary for it. java-ca-certificates This package plugs in a converter from our system to the Java keystores and the certificates: ca-certificates-mozilla This package contains the extracted certificates from the Mozilla NSS included set. ca-certificates-cacert The CACert root CAs in our framework. Not default installed, but as soon as you install it, the CACert root will be in all tools except Mozilla NSS based ones. man update-ca-certificates for lowlevel tool details. Check "ca-certificates-cacert" source package / spec file on how to do a simple root-ca plugin package for your own needs (we have one for our SUSE internal CA e.g.). Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org