[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ca-certificates symlinks out of /etc

martin f krafft wrote:
> also sprach Joey Schulze <joey@infodrom.org> [2006.11.04.1252 +0100]:
> > Hmm.  Why are the certificates in /etc/ssl/certs/cacert.pem used but
> > not those from /etc/ssl/certs/cacert-class3.pem?
> 
> Because I had to disable the use of CAdir and use CAfile instead,
> due to performance issues:
> 
>   http://people.debian.org/~terpstra/message/20061031.173956.0bfc5029.en.html

Hmm, why don't you use a CAfile which is not provided by the
package but one that is created by you on your own and which only
incorporates the certificates you want to accept?  That way you
won't interfer with packaging.

Does enabling with debconf only those certificates you want to accept
not help as well?

> > There was a debconf question in which you could configure which
> > certificates you want to accept.  Maybe you could accept the
> > cacert-class3 certificate as well?
> 
> cacert-class3 is locally added. See #350282.

Hmm.  When using the directory it should be sufficient to add the
missing hash link in /etc/ssl/certs?

openssl x509 -hash -noout -in cacert-class3.pem will calculate it.
Don't forget to add ".0" to the calculated name.

Regards,

	Joey

-- 
Reading is a lost art nowadays.  -- Michael Weber

Please always Cc to me when replying to me on the lists.
Reply to: