ca-certificates/README.usr
Kai Engert d538ada99c * Fri Mar 08 2013 Kai Engert <kaie@redhat.com> - 2012.87-9
- Major rework for the Fedora SharedSystemCertificates feature.
- Only ship a PEM bundle file using the BEGIN TRUSTED CERTIFICATE file format.
- Require the p11-kit package that contains tools to automatically create
  other file format bundles.
- Convert old file locations to symbolic links that point to dynamically
  generated files.
- Old files, which might have been locally modified, will be saved in backup
  files with .rpmsave extension.
- Added a update-ca-certificates script which can be used to regenerate
  the merged trusted output.
- Refer to the various README files that have been added for more detailed
  explanation of the new system.
- No longer require rsc for building.
- Add explanation for the future version numbering scheme,
  because the old numbering scheme was based on upstream using cvs,
  which is no longer true, and therefore can no longer be used.
- Includes changes from rhbz#873369.
2013-03-09 00:09:26 +01:00

28 lines
1.3 KiB
Plaintext

This directory /usr/share/pki/ca-trust-source/ contains CA certificates and
trust settings in the PEM file format. The trust settings found here will be
interpreted with a low priority, lower than the ones found in
/etc/pki/ca-trust/source.
You may install additional certificates or bundles into this directory.
Each file may contain one or many certificates and trust flags in a
PEM file format, as documented in the x509(1) manual page.
Allowed formats are:
- The BEGIN/END CERTIFICATE file format.
Such certificates will be trusted for TLS server auth, only.
- The BEGIN/END TRUSTED CERTIFICATE file format.
Such certificates will be trusted or distrusted according to the
trust settings contained in the PEM format data blocks.
Applications that are able to use PKCS#11 modules can dynamically use
the merged set of certificates from
/usr/share/pki/ca-trust-source/ and /etc/pki/ca-trust/source
by loading p11-kit-trust.so
Applications that rely on a static file for a list of trusted CAs
may load one of the files found in the /etc/pki/ca-trust/extracted
directory. After modifying the set of files stored in the
/usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source
are modified, it is required to run the ca-update-trust command,
in order to update the merged files in /etc/pki/ca-trust/extracted .