splitting ca_root_nss into component pem files
Dan Mahoney (Gushi)
freebsd at gushi.org
Fri Feb 12 08:42:26 UTC 2021
Allan (and all),
I notice FreeBSD now comes with certctl which knows how to split and
manage trusted SSL certs. FreeBSD 12.2 includes a /usr/share/ssl/certs
directory now (no mention of that in the release notes?) and a tool called
Certctl has (for some reason) been backported to 11.x, where there are no
individual certs provided by default, so I'm confused as to why this is.
ca_root_nss only provides a monolithic cert.
Some apps require a directory of hashes and symlinks. This is common,
especially when you want to trust your local CA as well as the netscape
ones. Additionally, some tools (like sendmail) seem to require the
Is there a tool (installed with base, or from ports) that will do this
splitting of ca_root_nss, to some standard directory? (certctl doesn't
Should this not be a standard thing in the pkg-message for ca_root_nss?
(This seems to be a tangly problem to google).
Note I solved this myself a few years back:
https://gushi.dreamwidth.org/1064679.html, but I'd like to have a "right"
But...this feels like something that should have a base tool AND be in the
handbook, since the *removal* of a cert from ca_root_nss will cause users
to still trust it -- a clean rebuild should be possible.
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
More information about the freebsd-questions