Commit Graph

15 Commits

Author SHA1 Message Date
Kai Engert
c1c275770a For CAs trusted by Mozilla, set attribute nss-mozilla-ca-policy: true
Set attribute modifiable: false
Require p11-kit 0.23.4
2017-02-23 19:39:46 +01:00
Kai Engert
f0b0be2c1f - Changed the packaged bundle to use the flexible p11-kit-object-v1 file format,
as a preparation to fix bugs in the interaction between p11-kit-trust and
  Mozilla applications, such as Firefox, Thunderbird etc.
- Changed update-ca-trust to add comments to extracted PEM format files.
- Added an utility to help with comparing output of the trust dump command.
2017-02-13 21:04:08 +01:00
Kai Engert
40d3667f3c rename legacy=enable to legacy=default and related changes; add ca-legacy man page; handle absent configuration in ca-legacy 2015-03-31 23:02:57 +02:00
Kai Engert
e24bfeb6b0 - Introduce the ca-legacy utility and a ca-legacy.conf configuration file.
By default, legacy roots required for OpenSSL/GnuTLS compatibility
  are kept enabled. Using the ca-legacy utility, the legacy roots can be
  disabled. If disabled, the system will use the trust set as provided
  by the upstream Mozilla CA list. (See also: rhbz#1158197)
2014-10-28 20:54:15 +01:00
Kai Engert
9ac574b7ef - added a manual page and related build requirements
- simplify the README files now that we have a manual page
- set a certificate alias in trusted bundle (thanks to Ludwig Nussel)
2013-07-09 00:59:15 +02:00
Kai Engert
b2e71a9f9a * Mon Apr 22 2013 Kai Engert <kaie@redhat.com> - 2012.87-12
- Use both label and serial to identify cert during conversion, rhbz#927601
- Add myself as contributor to certdata2.pem.py and remove use of rcs/ident.
  (thanks to Michael Shuler for suggesting to do so)
- Update source URLs and comments, add source file for version information.
2013-04-22 14:58:59 +02:00
Kai Engert
34f352da5f * Tue Mar 19 2013 Kai Engert <kaie@redhat.com> - 2012.87-11
- adjust to changed and new functionality provided by p11-kit 0.17.3
- updated READMEs to describe the new directory-specific treatment of files
- ship a new file that contains certificates with neutral trust
- ship a new file that contains distrust objects, and also staple a
  basic constraint extension to one legacy root contained in the
  Mozilla CA list
- adjust the build script to dynamically produce most of above files
- add and own the anchors and blacklist subdirectories
- file generate-cacerts.pl is no longer required
2013-03-24 00:36:13 +01:00
Kai Engert
d538ada99c * Fri Mar 08 2013 Kai Engert <kaie@redhat.com> - 2012.87-9
- Major rework for the Fedora SharedSystemCertificates feature.
- Only ship a PEM bundle file using the BEGIN TRUSTED CERTIFICATE file format.
- Require the p11-kit package that contains tools to automatically create
  other file format bundles.
- Convert old file locations to symbolic links that point to dynamically
  generated files.
- Old files, which might have been locally modified, will be saved in backup
  files with .rpmsave extension.
- Added a update-ca-certificates script which can be used to regenerate
  the merged trusted output.
- Refer to the various README files that have been added for more detailed
  explanation of the new system.
- No longer require rsc for building.
- Add explanation for the future version numbering scheme,
  because the old numbering scheme was based on upstream using cvs,
  which is no longer true, and therefore can no longer be used.
- Includes changes from rhbz#873369.
2013-03-09 00:09:26 +01:00
Paul Wouters
d5bb2887a4 * certdata2pem.py was checking an obsoleted variable CKT_NSS_UNTRUSTED
This was recently changed to CKT_NSS_NOT_TRUSTED, so I've changed the
python code to check for both.
2012-10-24 13:55:29 -04:00
Joe Orton
596824452e update to r1.80
fix handling of certs with dublicate Subject names (#733032)
2011-11-09 14:36:15 -08:00
Joe Orton
f098063f3d update to r1.78, removing trust from DigiNotar root (#734679) 2011-09-01 14:36:45 +01:00
Joe Orton
37d25f7154 update to r1.74 2011-04-20 10:12:55 +01:00
jorton
dc70b1f07b - fix ca-bundle.crt (#575111) 2010-03-19 14:00:29 +00:00
jorton
708646cc46 - update to certdata.txt r1.58
- add /etc/pki/tls/certs/ca-bundle.trust.crt using 'TRUSTED CERTICATE'
    format
- exclude ECC certs from the Java cacerts database
- catch keytool failures
- fail parsing certdata.txt on finding untrusted but not blacklisted cert
2010-03-18 12:23:55 +00:00
jorton
5f392b3f7e - adopt Python certdata.txt parsing script from Debian 2010-01-15 17:11:52 +00:00