On Mon, Feb 23, 2009 at 2:37 PM, Randy McMurchy <ra...@linuxfromscratch.org> wrote: > Dan Nicholson wrote these words on 02/23/09 14:17 CST: > >> Java wants a file containing the certificates of trusted root >> certificate authorities (CAs) for SSL/TLS. Amongst other things, this >> list of root CAs is how your browser decides whether to trust a https >> site or not. Two of them commonly exist on a BLFS system. The ones >> from openssl in /etc/ssl/certs and the ones from mozilla built into >> NSS. > > That's just it. You hit on something that DJ said and that is what is > confusing me. OpenSSL doesn't ship CAs any longer. In fact, the last > update I did to OpenSSL includes a blurb that the CA's don't ship any > longer and that there are only some instructions on how to create them.
Ah, I did notice that on the BLFS page, but wasn't exactly sure that's what it referred to. In that case, I guess using openssl's certificates is not an option. > Is this what you and DJ are referring to, the instructions how to create > them, yet you say that Mozilla includes them by default? This is where > I'm confused as you guys have made it out that they are one in the same > (the same in the regard they are ready to use). Yeah, it's a little convoluted. In the NSS tarball, there's a file mozilla/security/nss/lib/ckfw/builtins/certdata.txt. This is list of all the root CAs in DER format. It gets built into libnssckbi.a to be used by NSS applications. Fedora and Debian both have scripts the extract PEM formatted certificates from certdata.txt. I don't know about Debian's, but DJ pointed to Fedora's: http://cvs.fedoraproject.org/viewvc/rpms/ca-certificates/devel/mkcabundle.pl?view=markup This actually pulls the certdata.txt from mozilla's cvs, but you could easily alter it to operate on a local certdata.txt. Here's the outcome: http://cvs.fedoraproject.org/viewvc/rpms/ca-certificates/devel/ca-bundle.crt?view=markup I haven't looked into Debian's package before, but it adds a few more CAs besides what's in certdata.txt. Mozilla is really conservative about adding more CAs to certdata.txt, but they have a really stringent auditing process for determining the trust of CAs. This can be good or bad depending on your perspective. -- Dan -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
