Commit Graph

156 Commits

Author SHA1 Message Date
Kai Engert
e24bfeb6b0 - Introduce the ca-legacy utility and a ca-legacy.conf configuration file.
By default, legacy roots required for OpenSSL/GnuTLS compatibility
  are kept enabled. Using the ca-legacy utility, the legacy roots can be
  disabled. If disabled, the system will use the trust set as provided
  by the upstream Mozilla CA list. (See also: rhbz#1158197)
2014-10-28 20:54:15 +01:00
Kai Engert
f81c301d27 - Temporarily re-enable several legacy root CA certificates because of
compatibility issues with software based on OpenSSL/GnuTLS,
  see rhbz#1144808
2014-09-21 10:33:16 +02:00
Kai Engert
18eedda612 - Update to CKBI 2.1 from NSS 3.16.4
- Fix rhbz#1130226
2014-08-14 17:06:04 +02:00
Dennis Gilmore
b0943c5cc0 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild 2014-06-06 22:50:54 -05:00
Kai Engert
f176bca921 Update to CKBI 1.97 from NSS 3.16 2014-03-19 11:30:07 +01:00
Kai Engert
4a1396fc65 Merge branch 'master' of ssh://pkgs.fedoraproject.org/ca-certificates
Conflicts:
	ca-certificates.spec
2014-02-10 20:15:14 +01:00
Kai Engert
278ac24070 remove openjdk build requirement 2014-02-10 20:13:22 +01:00
Ville Skyttä
a14dcb43a0 Own the %{_datadir}/pki dir. 2014-01-25 20:39:23 +02:00
Kai Engert
5df4185c4d * Thu Jan 09 2014 Kai Engert <kaie@redhat.com> - 2013.1.96-1
- Update to CKBI 1.96 from NSS 3.15.4
2014-01-09 17:38:04 +01:00
Kai Engert
9a4d41a78e * Tue Dec 17 2013 Kai Engert <kaie@redhat.com> - 2013.1.95-1
- Update to CKBI 1.95 from NSS 3.15.3.1
2013-12-17 18:51:16 +01:00
Kai Engert
10e748b11e The PKCS#11 attributes of a stapled extension changed slightly
during the 0.19.x releases. This was due to specification work on
the 'Storing Trust Policy' document. Patch by Stef Walter.
Resolves: rhbz#988745
2013-09-06 17:22:25 +02:00
Kai Engert
e3e96c2ad9 - merge manual improvement from f19 2013-09-03 13:32:18 +02:00
Dennis Gilmore
04d3dc5036 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild 2013-08-02 23:13:50 -05:00
Kai Engert
540618e93b - clarification updates to manual page 2013-07-09 12:50:17 +02:00
Kai Engert
9ac574b7ef - added a manual page and related build requirements
- simplify the README files now that we have a manual page
- set a certificate alias in trusted bundle (thanks to Ludwig Nussel)
2013-07-09 00:59:15 +02:00
Kai Engert
6c5dbfb646 * Mon May 27 2013 Kai Engert <kaie@redhat.com> - 2013.1.94-13
- use correct command in README files, rhbz#961809
2013-05-27 15:28:11 +02:00
Kai Engert
2dc4526741 - update to version 1.94 provided by NSS 3.15 (beta) 2013-05-27 14:57:04 +02:00
Kai Engert
b2e71a9f9a * Mon Apr 22 2013 Kai Engert <kaie@redhat.com> - 2012.87-12
- Use both label and serial to identify cert during conversion, rhbz#927601
- Add myself as contributor to certdata2.pem.py and remove use of rcs/ident.
  (thanks to Michael Shuler for suggesting to do so)
- Update source URLs and comments, add source file for version information.
2013-04-22 14:58:59 +02:00
Kai Engert
34f352da5f * Tue Mar 19 2013 Kai Engert <kaie@redhat.com> - 2012.87-11
- adjust to changed and new functionality provided by p11-kit 0.17.3
- updated READMEs to describe the new directory-specific treatment of files
- ship a new file that contains certificates with neutral trust
- ship a new file that contains distrust objects, and also staple a
  basic constraint extension to one legacy root contained in the
  Mozilla CA list
- adjust the build script to dynamically produce most of above files
- add and own the anchors and blacklist subdirectories
- file generate-cacerts.pl is no longer required
2013-03-24 00:36:13 +01:00
Kai Engert
d538ada99c * Fri Mar 08 2013 Kai Engert <kaie@redhat.com> - 2012.87-9
- Major rework for the Fedora SharedSystemCertificates feature.
- Only ship a PEM bundle file using the BEGIN TRUSTED CERTIFICATE file format.
- Require the p11-kit package that contains tools to automatically create
  other file format bundles.
- Convert old file locations to symbolic links that point to dynamically
  generated files.
- Old files, which might have been locally modified, will be saved in backup
  files with .rpmsave extension.
- Added a update-ca-certificates script which can be used to regenerate
  the merged trusted output.
- Refer to the various README files that have been added for more detailed
  explanation of the new system.
- No longer require rsc for building.
- Add explanation for the future version numbering scheme,
  because the old numbering scheme was based on upstream using cvs,
  which is no longer true, and therefore can no longer be used.
- Includes changes from rhbz#873369.
2013-03-09 00:09:26 +01:00
Kai Engert
0ecb427592 * Thu Mar 07 2013 Kai Engert <kaie@redhat.com> - 2012.87-2.fc19.1
- Ship trust bundle file in /usr/share/pki/ca-trust-source/, temporarily in addition.
  This location will soon become the only place containing this file.
2013-03-08 00:03:25 +01:00
Dennis Gilmore
dc139972f7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild 2013-02-13 12:10:59 -06:00
Paul Wouters
73800e131b * Fri Jan 04 2013 Paul Wouters <pwouters@redhat.com> - 2012.87-1
- Updated to r1.87 to blacklist mis-issued turktrust CA certs
2013-01-04 12:50:54 -05:00
Paul Wouters
829cbef0ba * Wed Oct 24 2012 Paul Wouters <pwouters@redhat.com> - 2012.86-2
- Updated blacklist with 20 entries (Diginotar, Trustwave, Comodo(?)
- Fix to certdata2pem.py to also check for CKT_NSS_NOT_TRUSTED

Also updated pointer to certdata.txt explaining that's a pointer to
an unstable version.
2012-10-24 14:17:36 -04:00
Paul Wouters
0a930f04ef * Added real source url for certdata.txt on hg.mozilla.org 2012-10-23 21:34:15 -04:00
Paul Wouters
b65d8a87f1 * Tue Oct 23 2012 Paul Wouters <pwouters@redhat.com> - 2012.86-1
- update to r1.86
2012-10-23 16:04:09 -04:00
Joe Orton
bc18e50165 add openssl to BuildRequires 2012-07-23 12:49:30 +01:00
Joe Orton
df639e3f3e update to r1.85 2012-07-23 11:50:51 +01:00
Dennis Gilmore
816ae11fdb - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild 2012-07-18 13:30:37 -05:00
Joe Orton
1a704861b2 merge 2012-02-13 10:21:52 +00:00
Joe Orton
229976ab38 update to r1.81 2012-02-13 10:20:14 +00:00
Dennis Gilmore
8c27f267a8 - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild 2012-01-12 16:58:40 -06:00
Joe Orton
596824452e update to r1.80
fix handling of certs with dublicate Subject names (#733032)
2011-11-09 14:36:15 -08:00
Joe Orton
f098063f3d update to r1.78, removing trust from DigiNotar root (#734679) 2011-09-01 14:36:45 +01:00
Joe Orton
fbef64556c update to r1.75 2011-08-03 11:40:12 +01:00
Joe Orton
3f0275ff7a update to r1.74 2011-04-20 10:27:11 +01:00
Joe Orton
37d25f7154 update to r1.74 2011-04-20 10:12:55 +01:00
Dennis Gilmore
9ee01c7c25 - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild 2011-02-08 00:15:48 -06:00
Joe Orton
bf4a1f1789 - update to r1.70 2011-01-12 13:51:15 +00:00
Joe Orton
96465e81bb - update to r1.65 2010-11-09 08:24:29 +00:00
jorton
c9fb114c90 - package /etc/ssl/certs symlink for third-party apps (#572725) 2010-04-07 14:51:30 +00:00
jorton
58bb64fcf4 - rebuild 2010-04-07 10:32:36 +00:00
jorton
b62ba6e474 - update to certdata.txt r1.63
- use upstream RCS version in Version
2010-04-07 09:40:17 +00:00
jorton
dc70b1f07b - fix ca-bundle.crt (#575111) 2010-03-19 14:00:29 +00:00
jorton
708646cc46 - update to certdata.txt r1.58
- add /etc/pki/tls/certs/ca-bundle.trust.crt using 'TRUSTED CERTICATE'
    format
- exclude ECC certs from the Java cacerts database
- catch keytool failures
- fail parsing certdata.txt on finding untrusted but not blacklisted cert
2010-03-18 12:23:55 +00:00
jorton
425940e355 - fix install 2010-01-15 20:48:32 +00:00
jorton
56a6866973 - fix Java cacert database generation: use Subject rather than Issuer for
alias name; add diagnostics; fix some alias names.
2010-01-15 20:22:01 +00:00
jorton
5f392b3f7e - adopt Python certdata.txt parsing script from Debian 2010-01-15 17:11:52 +00:00
Jesse Keating
0bfc15efe4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild 2009-07-24 18:34:22 +00:00
jorton
5406f40280 - update to certdata.txt r1.53 2009-07-22 14:33:22 +00:00
Jesse Keating
a42172d599 - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild 2009-02-24 06:21:09 +00:00
jorton
e908127ac5 - update to certdata.txt r1.49 2008-10-14 09:14:38 +00:00
Thomas Fitzsimmons
180c47e3df - Change generate-cacerts.pl to produce pretty aliases. 2008-06-25 15:33:23 +00:00
jorton
866d688724 - package the symlink 2008-06-02 09:28:52 +00:00
jorton
65c3b04164 - include /etc/pki/tls/cert.pem symlink to ca-bundle.crt 2008-06-02 09:22:02 +00:00
jorton
d01a981fd7 Import ca-certificates 2008-4. 2008-06-02 08:47:49 +00:00