p11-kit trust module on Debian and OpenSUSE

Stef Walter stef at thewalter.net
Fri Jun 7 08:31:26 PDT 2013

Hey guys,

I've been working to make p11-kit work with the update-ca-certificates
script on OpenSUSE and Debian. I think they're pretty much the same, so
I hope referring to them together is okay.


 * p11-kit trust module allows NSS, GnuTLS, OpenSSL and Java to share
   the same trust source.
 * Right now NSS and GnuTLS load certificate anchors directly from
   the module. NSS even loads blacklists and so on.
 * Have distros use a common method for adding/removing CA
   certificates and having them used by all crypto libraries (by default
   at least). Eventually share much more trust information, tools, APIs.

So to summarize Debian and OpenSUSE use update-ca-certificates which
reads ca-certificates.conf if it exists. This file is a way of denoting
which CA certificates in /usr/share/ca-certificates are
whitelisted/blacklisted. If it doesn't exist then everything in
/usr/share/ca-certificates is used.

I'd like to help replace much of update-ca-certificates with the p11-kit
trust module, and extract tools. But because ca-certificates.conf is
widely used, there's the need to continue to support that.

I'm working code in the p11-kit trust module to support for the
ca-certificates.conf format, and some semantics as updates-ca-certificates.

Here's how I currently imagine things, but wanted to ask you guys for
help to see where I've missed things, flaws.

 * p11-kit is configured with:


 * p11-kit trust module sees that it's a ca-certificates.conf, and
   processes according to updates-ca-certificates.8

 * /usr/local/share/ca-certificates treated as a normal source of
   anchors if it exists.

 * updates-ca-certificates is changed to basically do:
   p11-kit extract --format=pem-bundle --purpose=server-auth \
      --filter=ca-anchors --overwrite /etc/ssl/ca-bundle.pem
   p11-kit extract --format=openssl-directory --purpose=server-auth \
      --filter=ca-anchors --overwrite /etc/ssl/certs
   ... and then run hooks ...

 * Use alternatives to replace libnssckbi.so with p11-kit-trust.so
   as we did on Fedora.


 * NSS apps immediately start using the Debian/OpenSUSE CA system.
 * Drop in compatible with what exists in Debian/OpenSUSE right now.

BTW, in p11-kit 0.19.x I want to finish tools/API for adding/removing CA
certificates so hopefully that'll be another advantage.

How does this look? I hope I haven't been thoroughly confusing. Will
post updates, patches to this thread.




stef at thewalter.net

More information about the p11-glue mailing list