p11-kit trust module on Debian and OpenSUSE

Ludwig Nussel ludwig.nussel at suse.de
Wed Jun 12 04:51:13 PDT 2013

Stef Walter wrote:
> So to summarize Debian and OpenSUSE use update-ca-certificates which
> reads ca-certificates.conf if it exists. This file is a way of denoting
> which CA certificates in /usr/share/ca-certificates are
> whitelisted/blacklisted. If it doesn't exist then everything in
> /usr/share/ca-certificates is used.

Note that IIRC Debian semantics of ca-certificates.conf are slightly
different. All certificates need to be listed in there to be considered
by update-ca-certificates. This is a problem for distribution packages
because you cannot really know whether an entry is missing because the
admin took it out or because an old version of the package didn't
contain the certificate. So for openSUSE I decided to not use this
whitelist approach but instead only use the blacklist feature.

> I'd like to help replace much of update-ca-certificates with the p11-kit
> trust module, and extract tools. But because ca-certificates.conf is
> widely used, there's the need to continue to support that.

What is the native way to blacklist stuff in p11-kit? Maybe it's
possible to do a one-shot conversion of ca-certificates.conf in some
%post script?


  (o_   Ludwig Nussel
  V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)

More information about the p11-glue mailing list