4ed49b4dcb
This setup will add the trusted certificates from the Mozilla NSS bundle to base. This commit includes: - CAROOT option to opt out of installation of certs - mtree amendments for final destinations - infrastructure to fetch/update certs, along with instructions A follow-up commit will add a certctl(8) utility to give the user control over trust specifics. Another follow-up commit will actually commit the initial result of updatecerts. This work was done primarily by allanjude@, with minor contributions by myself. No objection from: secteam Relnotes: yes Differential Revision: https://reviews.freebsd.org/D16856
35 lines
1.2 KiB
Plaintext
35 lines
1.2 KiB
Plaintext
# $FreeBSD$
|
|
|
|
This directory contains the scripts to update the TLS CA Root Certificates
|
|
that comprise the 'root trust store'.
|
|
|
|
The 'updatecerts' make target should be run periodically by secteam@
|
|
specifically when there is an important change to the list of trusted root
|
|
certificates included by Mozilla.
|
|
|
|
It will:
|
|
1) Remove the old trusted certificates (cleancerts)
|
|
2) Download the latest certdata.txt from Mozilla (fetchcerts)
|
|
3) Split certdata.txt into the individual .pem files (updatecerts)
|
|
|
|
Then the results should manually be inspected (svn status)
|
|
1) Any no-longer-trusted certificates should be moved to the
|
|
blacklisted directory (svn mv)
|
|
2) any newly added certificates will need to be added (svn add)
|
|
|
|
|
|
The following make targets exist:
|
|
|
|
cleancerts:
|
|
Delete the old certificates, run as a dependency of updatecerts.
|
|
|
|
fetchcerts:
|
|
Download the latest certdata.txt from the Mozilla NSS hg repo
|
|
See the changelog here:
|
|
https://hg.mozilla.org/projects/nss/log/tip/lib/ckfw/builtins/certdata.txt
|
|
|
|
updatecerts:
|
|
Runs a perl script (MAca-bundle.pl) on the downloaded certdata.txt
|
|
to generate the individual certificate files (.pem) and store them
|
|
in the trusted/ directory.
|