bed248a516
* Update Mozilla certificate authority bundle to version 2.40. * Add distrusted Symantec CA list to blacklist for explicit removal. * Blacklist expired root certificate, "AddTrust External Root". The following certificate authorities were added (+): + "Certigna Root CA" + "emSign ECC Root CA - C3" + "emSign ECC Root CA - G3" + "emSign Root CA - C1" + "emSign Root CA - G1" + "Entrust Root Certification Authority - G4" + "GTS Root R1" + "GTS Root R2" + "GTS Root R3" + "GTS Root R4" + "Hongkong Post Root CA 3" + "UCA Extended Validation Root" + "UCA Global G2 Root" The following certificate authorities were removed (-): - "AddTrust External Root" - "Certinomis - Root CA" - "Certplus Class 2 Primary CA" - "Deutsche Telekom Root CA 2" - "GeoTrust Global CA" - "GeoTrust Primary Certification Authority" - "GeoTrust Primary Certification Authority - G2" - "GeoTrust Primary Certification Authority - G3" - "GeoTrust Universal CA" - "thawte Primary Root CA" - "thawte Primary Root CA - G2" - "thawte Primary Root CA - G3" - "VeriSign Class 3 Public Primary Certification Authority - G4" - "VeriSign Class 3 Public Primary Certification Authority - G5" - "VeriSign Universal Root Certification Authority" Changes for pkgsrc packaging: * Add README.pkgsrc, replacing MESSAGE. * Improve DESCR to better describe the functionality of the package. * Install changelog and README.source from the distribution package.
36 lines
1.4 KiB
Text
36 lines
1.4 KiB
Text
$NetBSD: README.pkgsrc,v 1.1 2020/06/08 09:55:37 kim Exp $
|
|
|
|
This package provides the certificates distributed by the Mozilla
|
|
Project and will, by default, install certificates trusted by the
|
|
Mozilla Project in the system certificate store (/etc/ssl),
|
|
so that they can be used by third party applications using OpenSSL.
|
|
|
|
Edit /etc/ca-certificates.conf to further configure which
|
|
certificates are installed.
|
|
|
|
To install local certificate authorities to be implicitly trusted,
|
|
place the certificate files in /usr/local/share/ca-certificates/
|
|
as single files ending with ".crt".
|
|
|
|
After changing the configuration and adding local certificates run this
|
|
command to install and rehash the certificates:
|
|
|
|
# /usr/sbin/update-ca-certificates
|
|
|
|
After removing local certificates run this command to remove dangling
|
|
symlinks from /etc/ssl/certs:
|
|
|
|
# /usr/sbin/update-ca-certificates --fresh
|
|
|
|
The update-ca-certificates tool also creates a single file certificate
|
|
bundle in PEM format in /etc/ssl/certs/ca-certificates.crt
|
|
which can be used by applications using GnuTLS.
|
|
|
|
To mark the installed certificates as trusted for users of gnupg2 do
|
|
the following (assuming default PKG_SYSCONFBASE and a Bourne shell):
|
|
|
|
# mkdir -p /usr/pkg/etc/gnupg
|
|
# cd /usr/pkg/etc/gnupg
|
|
# for c in /etc/ssl/certs/*.pem; do
|
|
> openssl x509 -in $c -noout -fingerprint|sed 's|^.*=\(.*\)|\1 S|'
|
|
> done > trustlist.txt
|