freebsd-nq/secure/caroot/README
Ceri Davies 64e6e1e463 secure/caroot, certctl: Rename secure/caroot/blacklisted
Old certctl commands still work for compatability, but are deprecated.

Approved by:	secteam (gordon)
Differential Revision: https://reviews.freebsd.org/D30807
2021-06-18 13:38:07 +01:00

35 lines
1.2 KiB
Plaintext

# $FreeBSD$
This directory contains the scripts to update the TLS CA Root Certificates
that comprise the 'root trust store'.
The 'updatecerts' make target should be run periodically by secteam@
specifically when there is an important change to the list of trusted root
certificates included by Mozilla.
It will:
1) Remove the old trusted certificates (cleancerts)
2) Download the latest certdata.txt from Mozilla (fetchcerts)
3) Split certdata.txt into the individual .pem files (updatecerts)
Then the results should manually be inspected (svn status)
1) Any no-longer-trusted certificates should be moved to the
untrusted directory (git mv)
2) any newly added certificates will need to be added (git add)
The following make targets exist:
cleancerts:
Delete the old certificates, run as a dependency of updatecerts.
fetchcerts:
Download the latest certdata.txt from the Mozilla NSS hg repo
See the changelog here:
https://hg.mozilla.org/projects/nss/log/tip/lib/ckfw/builtins/certdata.txt
updatecerts:
Runs a perl script (MAca-bundle.pl) on the downloaded certdata.txt
to generate the individual certificate files (.pem) and store them
in the trusted/ directory.