[Bug 284749] certctl: add support for generating cert.pem CAfiles

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284749

--- Comment #2 from Mel Pilgrim <ports.maintainer@evilphi.com> ---
(In reply to Michael Osipov from comment #1)

Re: OPENSSLDIR

I agree, OpenSSL should.  And until it does and the unknown number of ports
stop looking for only /usr/local/openssl/cert.pem (like in that rustsec blocker
for 284404), ${LOCALBASE}/openssl will have to exist.  Remember, this is about
being compatible with ca_root_nss while unbreaking what it breaks.

Re: "ca_root_nss-style"

Fixed by way of those commands no longer existing because of...

Re: commands vs rehash flags

That's an easy enough change.  Revised patch to follow.  It does mean that
do_scan runs more than necessary, and that the create and delete flags now have
a last-flag-wins race.  But:

- `certctl createbundles` is now `certctl -b rehash`
- `certctl deletebundles` is now `certctl -B rehash`

Re: env var to force generation

I'm a bit unsure what you're asking for.  Are you asking for an env var that
makes `certctl rehash` act as if the command was `certctl -b rehash`?  If so,
should be it `certctl -b rehash` or `certctl -be rehash` (i.e., should the env
var always create /etc/ssl/cert.pem as well)?

Re: open ports must be reviewed

I agree, but I would like to keep that discussion in the ca_root_nss PR.

Re: CAfile + CApath dubiousness

I agree that having both is a bit nonsensical, but OpenSSL gave use two options
and the world said "yes both at once thank you".  That is, if there's a
performance penalty with having both, it's going to happen whether certctl
generates them or ca_root_nss installs them.

-- 
You are receiving this mail because:
You are the assignee for the bug.