hello Tom, On Thursday 03 August 2006 09:46, Tom Tromey wrote: > >>>>> "Raif" == Raif S Naffah <[EMAIL PROTECTED]> writes: > ... > Raif> i downloaded and installed (own --prefix since i don't use a Debian > Raif> distro) the latest stable ca-certificates package (from > Raif> <http://packages.debian.org/stable/misc/ca-certificates>). > > I wasn't really paying close attention to this... but Anthony ran into > an issue (see the fedora-java list)
can you give me a url to that message/thread? > ...with an application because we > don't install our own cacerts file. > > He pointed out /etc/pki/tls/certs/ca-bundle.crt (on Fedora, dunno > about other distros) -- but this file seems to be in a format not > understood by gkeytool. Is that intentional? It contains a number of > certificates; gkeytool stops after reading the first one. > > FWIW this file comes from the openssl package. the file (ca-bundle.crt) looks like a flat list of x.509 certificates in rfc-1421 format. its contents look like the collection of CA certificates from the Debian ca-certificates package under the mozilla folder --i didn't verify each individual certificate though. the gkeytool knows how to import _one_ certificate from such encoded files with either the -import or the -cacert commands. the latter, coupled with the import-cacerts.sh (in the scripts folder) can populate a cacerts keystore, and was part of the email you're referring to. the reason for the one certificate/file is that, under certain circumstances, the user may be required to verify visually the hash of the certificate before the tool can add the certificate, as a trusted one, to the keystore. cheers; rsn
pgpc8p7uWyVyi.pgp
Description: PGP signature
