d538ada99c
- Major rework for the Fedora SharedSystemCertificates feature. - Only ship a PEM bundle file using the BEGIN TRUSTED CERTIFICATE file format. - Require the p11-kit package that contains tools to automatically create other file format bundles. - Convert old file locations to symbolic links that point to dynamically generated files. - Old files, which might have been locally modified, will be saved in backup files with .rpmsave extension. - Added a update-ca-certificates script which can be used to regenerate the merged trusted output. - Refer to the various README files that have been added for more detailed explanation of the new system. - No longer require rsc for building. - Add explanation for the future version numbering scheme, because the old numbering scheme was based on upstream using cvs, which is no longer true, and therefore can no longer be used. - Includes changes from rhbz#873369.
14 lines
751 B
Bash
14 lines
751 B
Bash
#!/bin/sh
|
|
|
|
#set -vx
|
|
|
|
DEST=/etc/pki/ca-trust/extracted
|
|
|
|
# OpenSSL PEM bundle that includes trust flags
|
|
# (BEGIN TRUSTED CERTIFICATE)
|
|
/usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite $DEST/openssl/ca-bundle.trust.crt
|
|
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --purpose server-auth $DEST/pem/tls-ca-bundle.pem
|
|
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --purpose email $DEST/pem/email-ca-bundle.pem
|
|
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --purpose code-signing $DEST/pem/objsign-ca-bundle.pem
|
|
/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts
|