On 10/28/2014 09:04 AM, Ashby, Jason (IMS) wrote: > Add your root and intermediary CA's to system CA bundle (copy ca-bundle.crt > out to all consumers too): > > openssl x509 -in /etc/pki/pulp_certs/rootca.crt -text >> > /etc/pki/tls/certs/ca-bundle.crt > openssl x509 -in /etc/pki/pulp_certs/pulpca.crt -text >> > /etc/pki/tls/certs/ca-bundle.crt
Hi Jason, I think the above might become a problem the next time you update your ca-certificates package. Red Hat OS's have a tool to help you with this called update-ca-trust. It's man page is pretty decent, but the gist of it is that you should stick CAs that you want to trust in /etc/pki/ca-trust/source/anchors/, and then use that utility to add the CAs that it finds there to the ca-bundle.crt file for you. This way it will survive package updates to the CA bundle. The first time you use update-ca-trust, you need to run it with the enable flag, IIRC: $ sudo update-ca-trust enable Then, whenever you want to change the CAs you trust, run: $ sudo update-ca-trust extract Hope this helps!
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Pulp-list mailing list Pulp-list@redhat.com https://www.redhat.com/mailman/listinfo/pulp-list
