freebsd-skq

History

Kyle Evans c3510c941c caroot: update CA bundle processor Our current processor was identified as trusting cert not explicitly marked for SERVER_AUTH, as well as certs that were tagged with DISTRUST_AFTER. Update the script to handle both scenarios. This patch was originally authored by mandree@ for ports, and it was subsequently ported to base caroot. MFC after: 3 days		2021-04-13 16:59:24 -05:00
..
blacklisted	caroot: routine cert update	2021-04-13 16:56:03 -05:00
trusted	caroot: routine cert update	2021-04-13 16:56:03 -05:00
MAca-bundle.pl	caroot: update CA bundle processor	2021-04-13 16:59:24 -05:00
Makefile	pkgbase: fix caroot packaging and add post-install script	2020-01-29 18:47:08 +00:00
Makefile.inc	pkgbase: fix caroot packaging and add post-install script	2020-01-29 18:47:08 +00:00
README

README

# $FreeBSD$

This directory contains the scripts to update the TLS CA Root Certificates
that comprise the 'root trust store'.

The 'updatecerts' make target should be run periodically by secteam@
specifically when there is an important change to the list of trusted root
certificates included by Mozilla.

It will:
	1) Remove the old trusted certificates (cleancerts)
	2) Download the latest certdata.txt from Mozilla (fetchcerts)
	3) Split certdata.txt into the individual .pem files (updatecerts)

Then the results should manually be inspected (svn status)
	1) Any no-longer-trusted certificates should be moved to the
	blacklisted directory (svn mv)
	2) any newly added certificates will need to be added (svn add)


The following make targets exist:

cleancerts:
	Delete the old certificates, run as a dependency of updatecerts.

fetchcerts:
	Download the latest certdata.txt from the Mozilla NSS hg repo
	See the changelog here:
		https://hg.mozilla.org/projects/nss/log/tip/lib/ckfw/builtins/certdata.txt

updatecerts:
	Runs a perl script (MAca-bundle.pl) on the downloaded certdata.txt
	to generate the individual certificate files (.pem) and store them
	in the trusted/ directory.