Control: severity -1 normal On 07/27/2013 08:52 PM, Christoph Anton Mitterer wrote: > Hi.
Hi Christoph - thanks for the bug report. I lowered the severity since I agree that some improvements can be made, but local certificate handling does work fine. Biggest hint I have is to use 'update-ca-certificates --fresh" when modifying/removing local certs. I'd like to keep this bug open for improving the documentation in the README and man page for update-ca-certificates in handling local certs. > Since some time the handling of certs in > /usr/local/share/ca-certificates/ seems to be broken. This is rather vague. Could you provide some steps to reproduce your problem? > Neither are these anymore shown up in debconf on reconfiure I do not think local certificates were ever available in debconf. Local certificates placed in /usr/local/share/ca-certificates/ are implicitly trusted on the system. Don't put them there, if you don't intend them to be trusted. With that in mind, there is no reason to have them in debconf - this is for updating trust for those certificates installed by the package. I sort of equate this with wanting the util-linux package to track scripts under /usr/local/bin/. > nor are links in /etc/ssl/certs removed, created or re-created with > new hash-values, when the cert got removed, added or changed so that > a new hash resulted. I created a couple test CA certificates, installed test1, updated to test2, and then removed it successfully. I hope the attached example helps. Please, let me know some specifics, if I've misunderstood your report. -- Kind regards, Michael
mshuler@mana:~$ openssl x509 -hash -fingerprint -noout -in 12.am_Root_CA_test1.crt 3f5b7c0e SHA1 Fingerprint=B5:EF:D4:C7:64:75:FD:C1:04:B7:87:B3:5F:2A:1A:A4:85:56:51:BD mshuler@mana:~$ openssl x509 -hash -fingerprint -noout -in 12.am_Root_CA_test2.crt 5a0c50c0 SHA1 Fingerprint=63:57:70:04:57:2D:AF:51:4F:6D:F6:26:97:33:61:A3:15:17:50:F0 mshuler@mana:~$ mshuler@mana:~$ cp 12.am_Root_CA_test1.crt /usr/local/share/ca-certificates/12.am_Root_CA.crt mshuler@mana:~$ mshuler@mana:~$ sudo update-ca-certificates Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d....done. mshuler@mana:~$ mshuler@mana:~$ ls -l /etc/ssl/certs/ | grep 12.am lrwxrwxrwx 1 root root 17 Jul 28 17:09 017dd8eb.0 -> 12.am_Root_CA.pem lrwxrwxrwx 1 root root 50 Jul 28 17:09 12.am_Root_CA.pem -> /usr/local/share/ca-certificates/12.am_Root_CA.crt lrwxrwxrwx 1 root root 17 Jul 28 17:09 3f5b7c0e.0 -> 12.am_Root_CA.pem mshuler@mana:~$ mshuler@mana:~$ cp 12.am_Root_CA_test2.crt /usr/local/share/ca-certificates/12.am_Root_CA.crt mshuler@mana:~$ mshuler@mana:~$ sudo update-ca-certificates --fresh Clearing symlinks in /etc/ssl/certs...done. Updating certificates in /etc/ssl/certs... 157 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d....done. mshuler@mana:~$ mshuler@mana:~$ ls -l /etc/ssl/certs/ | grep 12.am lrwxrwxrwx 1 root root 50 Jul 28 17:09 12.am_Root_CA.pem -> /usr/local/share/ca-certificates/12.am_Root_CA.crt lrwxrwxrwx 1 root root 17 Jul 28 17:09 5a0c50c0.0 -> 12.am_Root_CA.pem lrwxrwxrwx 1 root root 17 Jul 28 17:09 b6339468.0 -> 12.am_Root_CA.pem mshuler@mana:~$ mshuler@mana:~$ rm /usr/local/share/ca-certificates/12.am_Root_CA.crt mshuler@mana:~$ mshuler@mana:~$ sudo update-ca-certificates --fresh Clearing symlinks in /etc/ssl/certs...done. Updating certificates in /etc/ssl/certs... 157 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d....done. mshuler@mana:~$ mshuler@mana:~$ ls -l /etc/ssl/certs/ | grep 12.am mshuler@mana:~$
