Feature changed by: Karl Eichwalder (keichwa) Feature #315592, revision 16 Title: [RN] retire /etc/ssl/certs as r/w for admins Requested by: Ludwig Nussel (lnussel) Partner organization: openSUSE.org Description: Since the introduction of update-ca-certificates in openSUSE 11.2 /etc/ssl/certs has been an automatically managed location for SSL certificates. Adminstrators are no longer meant to put their own files there but instead have update-ca-certificates install symlinks to the actual files there. Having scripts regularly mess with /etc is ugly. Therefore placing individual symlinks in /etc/ssl/certs needs to be retired. /etc/ssl/certs should point to a location in /var instead. This could either be done with a symlink or with a bind mount. Documentation Impact: RN Discussion: #3: Marcus Meissner (msmeissn) (2014-07-30 14:51:18) as we imported this change from openSUSE Factory, we should appropriately document it with release notes. - Release Notes: Change of default locations for root certificates + Release Notes: Change of Default Locations for Root Certificates Challenge: Using /etc/ssl/certs or even a single bundle file to store SSL root certificates makes it impossible to separate package and administrator - provided files. - Package updates would therefore either not actually update the - certificate store or overwrite administrator changes + provided files. Package updates would therefore either not actually + update the certificate store or overwrite administrator changes. Solution: - A new location is now used to store trusted certificates, - /usr/share/pki/trust/anchors/ and /etc/pki/trust/anchors/ for the root - CA certificates - /usr/share/pki/trist/blacklist/ and /etc/pki/trust/blacklist/ for + A new location is now used to store trusted certificates: + * /usr/share/pki/trust/anchors/ and /etc/pki/trust/anchors/ for the + root CA certificates + * /usr/share/pki/trist/blacklist/ and /etc/pki/trust/blacklist/ for blacklisted certificates A helper tool called "update-ca-certificates" is used to propagate the content of those directories to the certificate stores used by openssl, - gnutls and openjdk + gnutls, and openjdk. /etc/ssl/certs links to an implemention specific location managed by - p11-kit. It must not be used by the admin anymore - Administrators need to put local CA certificates into + p11-kit. It must not be used by the admin anymore. + Administrators must put local CA certificates into /etc/pki/trust/anchors/ instead and run the update-ca-certificates tool - to propagate the certificates to the various certificate stores + to propagate the certificates to the various certificate stores. -- openSUSE Feature: https://features.opensuse.org/315592