[systemd-devel] certificate and trust store feature for systemd

Barry Scott barry at barrys-emacs.org
Wed May 25 18:29:36 UTC 2022



> On 25 May 2022, at 19:22, SCOTT FIELDS <Scott.Fields at kyndryl.com> wrote:
> 
> If you’re referring to files in /etc/pki, that’s not a management API, like CAPI or CNG provides in Windows (and a like API in OSX).

There are tools that you run that manage the files. Sorry I do not have the details in front of me.
The tools are the API at least for trust store from what I recall when I set it up.

>  
> There’s a keychain solution in Gnome (GNOME/Keyring) but not widely adopted that I’ve seen.

I use KDE and the kwallet is used in most apps I use. If there is an app in gnome that is not using the keyring
then that a problem with the app surely, not the API?

>  
> This just seems a good match to have available within systemd

I do not speak for systemd, just curious about why you think this is needed.

Barry


>  
> From: Barry Scott <barry at barrys-emacs.org <mailto:barry at barrys-emacs.org>> 
> Sent: Wednesday, May 25, 2022 1:16 PM
> To: SCOTT FIELDS <Scott.Fields at kyndryl.com <mailto:Scott.Fields at kyndryl.com>>
> Cc: systemd-devel at lists.freedesktop.org <mailto:systemd-devel at lists.freedesktop.org>
> Subject: [EXTERNAL] Re: [systemd-devel] certificate and trust store feature for systemd
>  
> On 25 May 2022, at 14:06, SCOTT FIELDS <Scott.Fields at kyndryl.com <mailto:Scott.Fields at kyndryl.com>> wrote: I apologize for the very general inquiry. Are there any plans to have system natively support its own trust store for items like CAs, x509 certs, passwords &
>  
> 
> 
> On 25 May 2022, at 14:06, SCOTT FIELDS <Scott.Fields at kyndryl.com <mailto:Scott.Fields at kyndryl.com>> wrote:
>  
> I apologize for the very general inquiry.
>  
> Are there any plans to have system natively support its own trust store for items like CAs, x509 certs, passwords & truststores akin to the keychain in Windows and OS X?
>  
> But these are solved problems on modern Linux systems aren't they?
>  
> At least with RHEL and Fedora they have trust store and keychains.
> 
> 
>  
> I still find the management of PKIs in /etc/pki to be problematic.
>  
> For my home network I have my own DNS domain and CA setup. It was easy to add the CA to
> Fedora's trust store.
> 
> 
>  
> Having this available as a core service within systemd using like APIs either in (mostly deprecated) CAPI or the new CNG
>  
> Barry
> 
> 
>  
>  
> Scott Fields
> IBM/Kyndryl
> SRE – BNSF
> 817-593-5038 (BNSF)
> scott.fields at kyndryl.com <mailto:scott.fields at kyndryl.com>
> scott.fields at bnsf.com <mailto:scott.fields at bnsf.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20220525/5bb001b8/attachment.htm>


More information about the systemd-devel mailing list