HI Wolfgang, On Do 04 Apr 2019 14:19:31 CEST, Wolfgang Schweer wrote:
Moin Mike, On Thu, Apr 04, 2019 at 10:31:54AM +0000, Mike Gabriel wrote:to debian-edu-config's file etc/skel/.mozilla/firefox/debian-edu.default/pkcs11.txtWhile this was valid for Stretch, in Buster /etc/skel isn't used anymore. Certificate related configuration is done in gosa-create. (Works for Firefox-ESR, Thunderbird, Konqueror and Chromium). See also: https://wiki.debian.org/DebianEdu/Documentation/Buster/Features#Other_changes_compared_to_the_previous_release for SSL/TLS related changes. There's also a tool (share/debian-edu-config/tools/update-cert-dbs) which will be called upon upgrades from Stretch to configure this for existing user accounts. Wolfgang
While the above named approach and scripts are good for handling the DebianEdu root-CA, it cannot be used for site-specific adaptations.
Of course, I could have copied and adapted update-cert-dbs to my purpose, but for generic CA rollouts, I find the pkcs11.txt approach much more elegant.
Btw, for Chrome/Chromium, pkcs11.txt as given above in the bug report needs to be placed into ~/.pki/nssdb/pkcs11.txt.
I needed this as I set up an e2guardian with SSL MitM and https deep package introspection (I know, this can be seen as "URGH..."). I also had a user-specific import script, but that did not scale well with many users on site. Handling this via pkcs11.txt and the trust pki module came in much smarter.
Feel free to keep this bug open for bullseye, so we can re-discuss this approach or close it. (In IT-Zukunft Schule, we will use it).
Greets, Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
Attachment:
pgpzTThQJiRo0.pgp
Description: Digitale PGP-Signatur