- improve manpage

This commit is contained in:
Kai Engert 2013-07-17 15:39:41 +02:00
parent 540618e93b
commit ed9b40a653
2 changed files with 18 additions and 13 deletions

View File

@ -286,6 +286,8 @@ fi
%changelog
- improve manpage
* Tue Jul 09 2013 Kai Engert <kaie@redhat.com> - 2013.1.94-15
- clarification updates to manual page

View File

@ -33,23 +33,26 @@ SYNOPSIS
DESCRIPTION
-----------
update-ca-trust(8) is used to manage a consolidated and dynamic configuration
feature of CA certificates and associated trust.
feature of Certificate Authority (CA) certificates and associated trust.
The feature is available for any new applications that read the
The feature is available for new applications that read the
consolidated configuration files found in the /etc/pki/ca-trust/extracted directory
or that load the PKCS#11 module p11-kit-trust.so
Parts of the new feature are also provided in a way to make it useful
by legacy applications.
for legacy applications.
Many legacy applications expect CA certificates and trust configuration
in a fixed location, contained in files with particular path and name,
or by referring to a specific legacy PKCS#11 trust module provided by the
or by referring to a classic PKCS#11 trust module provided by the
NSS cryptographic library.
In order to enable legacy applications, that read the legacy files or
legacy module, to make use of the new consolidated and dynamic configuration
feature, the legacy filenames have been changed to symbolic links.
The dynamic configuration feature provides functionally compatible replacements
for classic configuration files and for the classic NSS trust module named libnssckbi.
In order to enable legacy applications, that read the classic files or
access the classic module, to make use of the new consolidated and dynamic configuration
feature, the classic filenames have been changed to symbolic links.
The symbolic links refer to dynamically created and consolidated
output stored below the /etc/pki/ca-trust/extracted directory hierarchy.
@ -58,8 +61,8 @@ or using the 'update-ca-trust extract' command.
In order to produce the output, a flexible set of source configuration
is read, as described in section <<sourceconf,SOURCE CONFIGURATION>>.
In addition, the static legacy PKCS#11 module
is replaced by a new PKCS#11 module (p11-kit-trust.so) that dynamically
In addition, the classic PKCS#11 module
is replaced with a new PKCS#11 module (p11-kit-trust.so) that dynamically
reads the same source configuration.
@ -147,7 +150,7 @@ directories or in any of their subdirectories, or after adding a file,
it is necessary to run the 'update-ca-trust extract' command,
in order to update the consolidated files in /etc/pki/ca-trust/extracted/ .
Applications that load the legacy PKCS#11 module using filename libnssckbi.so
Applications that load the classic PKCS#11 module using filename libnssckbi.so
(which has been converted into a symbolic link pointing to the new module)
and any application capable of
loading PKCS#11 modules and loading p11-kit-trust.so, will benefit from
@ -215,15 +218,15 @@ COMMANDS
FILES
-----
/etc/pki/tls/certs/ca-bundle.crt::
Legacy filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.
/etc/pki/tls/certs/ca-bundle.trust.crt::
Legacy filename, file contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage.
Classic filename, file contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage.
This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.
/etc/pki/java/cacerts::
Legacy filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the Java keystore file format, without distrust information.
Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the Java keystore file format, without distrust information.
This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.
/usr/share/pki/ca-trust-source::