p11-kit trust module on Debian and OpenSUSE

Stef Walter stef at thewalter.net
Wed Jun 12 11:41:57 PDT 2013

On 12.06.2013 13:51, Ludwig Nussel wrote:
> Stef Walter wrote:
>> So to summarize Debian and OpenSUSE use update-ca-certificates which
>> reads ca-certificates.conf if it exists. This file is a way of denoting
>> which CA certificates in /usr/share/ca-certificates are
>> whitelisted/blacklisted. If it doesn't exist then everything in
>> /usr/share/ca-certificates is used.
> Note that IIRC Debian semantics of ca-certificates.conf are slightly
> different. All certificates need to be listed in there to be considered
> by update-ca-certificates. This is a problem for distribution packages
> because you cannot really know whether an entry is missing because the
> admin took it out or because an old version of the package didn't
> contain the certificate. So for openSUSE I decided to not use this
> whitelist approach but instead only use the blacklist feature.
>> I'd like to help replace much of update-ca-certificates with the p11-kit
>> trust module, and extract tools. But because ca-certificates.conf is
>> widely used, there's the need to continue to support that.
> What is the native way to blacklist stuff in p11-kit? 

p11-kit-trust module loads from directories specified in
--with-trust-paths during ./configure. For example, one might have;

/usr/share/pki/trust (for files installed by rpms)
/etc/pki/trust (for files added by admins)

Each directory can have a blacklist subdirectory. Certificates placed in
that subdirectory are automatically added to the blacklist.

More details:


> Maybe it's
> possible to do a one-shot conversion of ca-certificates.conf in some
> %post script?


I had imagined that ca-certificates.conf was a cross distro standard,
and so was willing to support it directly in p11-kit. But if it is
fragmented, then it does make more sense to move away from it.

So the %post script would look for any certificates blacklisted, and
move them into the appropriate /etc/pki/trust/blacklist/ subdirectory.
In addition it would move stuff from /usr/share/local/ca-certificates
into /etc/pki/trust/anchors/




stef at thewalter.net

More information about the p11-glue mailing list