diff options
author | Britney Fransen <brfransen@gmail.com> | 2019-02-02 20:59:22 (GMT) |
---|---|---|
committer | Britney Fransen <brfransen@gmail.com> | 2019-02-02 20:59:22 (GMT) |
commit | 06fe052876ddd26f25899f550dc228e2bf3d8258 (patch) | |
tree | 1ca5152f2f5ca0c2aef7b4db72dd19f7eaf180c3 /abs/core/ca-certificates/update-ca-trust.8.txt | |
parent | f250d8aef839be694ce362e5d5d1407b994ff7e5 (diff) | |
download | linhes_pkgbuild-06fe052876ddd26f25899f550dc228e2bf3d8258.zip linhes_pkgbuild-06fe052876ddd26f25899f550dc228e2bf3d8258.tar.gz linhes_pkgbuild-06fe052876ddd26f25899f550dc228e2bf3d8258.tar.bz2 |
ca-certificates: update to 20181109
Diffstat (limited to 'abs/core/ca-certificates/update-ca-trust.8.txt')
-rw-r--r-- | abs/core/ca-certificates/update-ca-trust.8.txt | 75 |
1 files changed, 48 insertions, 27 deletions
diff --git a/abs/core/ca-certificates/update-ca-trust.8.txt b/abs/core/ca-certificates/update-ca-trust.8.txt index 67e2ba3..ba9c830 100644 --- a/abs/core/ca-certificates/update-ca-trust.8.txt +++ b/abs/core/ca-certificates/update-ca-trust.8.txt @@ -74,11 +74,11 @@ will be scanned for any number of source files. *It is important to select the correct subdirectory for adding files, as the subdirectory defines how contained certificates will be trusted or distrusted, and which file formats are read.* -Files in subdirectories below the directory hierarchy /usr/share/ca-certificates/trust-source/ contain CA certificates and +Files in *subdirectories below the directory hierarchy /usr/share/ca-certificates/trust-source/* contain CA certificates and trust settings in the PEM file format. The trust settings found here will be interpreted with a *low priority*. -Files in subdirectories below the directory hierarchy /etc/ca-certificates/trust-source/ contain CA certificates and +Files in *subdirectories below the directory hierarchy /etc/ca-certificates/trust-source/* contain CA certificates and trust settings in the PEM file format. The trust settings found here will be interpreted with a *high priority*. @@ -144,7 +144,7 @@ BEGIN/END CERTIFICATE and BEGIN/END TRUSTED CERTIFICATE file formats. Applications that rely on a static file for a list of trusted CAs may load one of the files found in the /etc/ssl/certs or /etc/ca-certificates/extracted -directory. After modifying any file in the +directories. After modifying any file in the /usr/share/ca-certificates/trust-source/ or /etc/ca-certificates/trust-source/ directories or in any of their subdirectories, or after adding a file, it is necessary to run the 'update-ca-trust extract' command, @@ -161,7 +161,7 @@ the dynamically merged set of certificates and trust information stored in the [[extractconf]] EXTRACTED CONFIGURATION ----------------------- -The directories /etc/ssl/certs and /etc/ca-certificates/extracted/ contains generated CA certificate +The directories /etc/ssl/certs and /etc/ca-certificates/extracted/ contain generated CA certificate bundle files which are created and updated, based on the <<sourceconf,SOURCE CONFIGURATION>> by running the 'update-ca-trust extract' command. @@ -189,8 +189,13 @@ and distrusted certificates are missing from these files. File cacerts contains CA certificates trusted for TLS server authentication. The directory /etc/ca-certificates/extracted contains +a CA certificate bundle file in the extended BEGIN/END TRUSTED CERTIFICATE file format, +as described in the x509(1) manual page. +File ca-bundle.trust.crt contains the full set of all trusted +or distrusted certificates, including the associated trust flags. +It also contains CA certificate bundle files in the simple BEGIN/END CERTIFICATE file format, -as decribed in the x509(1) manual page. +as described in the x509(1) manual page. Distrust information cannot be represented in this file format, and distrusted certificates are missing from these files. File tls-ca-bundle.pem contains CA certificates @@ -199,10 +204,14 @@ File email-ca-bundle.pem contains CA certificates trusted for E-Mail protection. File objsign-ca-bundle.pem contains CA certificates trusted for code signing. -File ca-bundle.trust.crt contains certificates in the extended -BEGIN/END TRUSTED CERTIFICATE file format, as described in the x509(1) manual page. -This bundle contains the full set of all trusted -and distrusted certificates, including the associated trust flags. +It also contains a CA +certificate bundle ("edk2-cacerts.bin") in the "sequence of +EFI_SIGNATURE_LISTs" format, defined in the UEFI-2.7 specification, +sections "31.4.1 Signature Database" and +"EFI_CERT_X509_GUID". Distrust information cannot be represented in +this file format, and distrusted certificates are missing from these +files. File "edk2-cacerts.bin" contains CA certificates trusted for TLS +server authentication. COMMANDS @@ -215,11 +224,27 @@ COMMANDS *extract*:: Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and produce updated versions of the consolidated configuration files stored below - the /etc/ssl/certs and /etc/ca-certificates/extracted directory - hierarchies. + the /etc/ssl/certs and /etc/ca-certificates/extracted directory hierarchies. FILES ----- +/etc/ssl/certs:: + Classic directory, files contain individual CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information. + Also includes the necessary hash symlinks expected by OpenSSL. + These files are symbolic links that are maintained by the update-ca-trust command. + +/etc/ssl/certs/ca-certificates.crt:: + Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information. + This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command. + +/etc/ssl/cert.pem:: + Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information. + This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command. + +/etc/ssl/java/cacerts:: + Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the Java keystore file format, without distrust information. + This file is consolidated output created by the update-ca-trust command. + /usr/share/ca-certificates/trust-source:: Contains multiple, low priority source configuration files as explained in section <<sourceconf,SOURCE CONFIGURATION>>. Please pay attention to the specific meanings of the respective subdirectories. @@ -232,32 +257,28 @@ FILES See section <<extractconf,EXTRACTED CONFIGURATION>> for additional details. /etc/ca-certificates/extracted/tls-ca-bundle.pem:: - Contains a list of CA certificates trusted for TLS server authentication, in the simple BEGIN/END CERTIFICATE file format, without distrust information. + File contains a list of CA certificates trusted for TLS server authentication, in the simple BEGIN/END CERTIFICATE file format, without distrust information. + This file is consolidated output created by the update-ca-trust command. /etc/ca-certificates/extracted/email-ca-bundle.pem:: - Contains a list of CA certificates trusted for E-Mail protection, in the simple BEGIN/END CERTIFICATE file format, without distrust information. + File contains a list of CA certificates trusted for E-Mail protection, in the simple BEGIN/END CERTIFICATE file format, without distrust information. + This file is consolidated output created by the update-ca-trust command. /etc/ca-certificates/extracted/objsign-ca-bundle.pem:: - Contains a list of CA certificates trusted for code signing, in the simple BEGIN/END CERTIFICATE file format, without distrust information. + File contains a list of CA certificates trusted for code signing, in the simple BEGIN/END CERTIFICATE file format, without distrust information. + This file is consolidated output created by the update-ca-trust command. /etc/ca-certificates/extracted/ca-bundle.trust.crt:: - Contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage. + File contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage. + This file is consolidated output created by the update-ca-trust command. /etc/ca-certificates/extracted/cadir:: Contains individual CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information. - Also includes the necessary hash symlinks expected by OpenSSL. - -/etc/ssl/certs:: - Classic directory, contains symlinks into /etc/ca-certificates/extracted/cadir which are maintained by the update-ca-trust command. + Also includes the necessary hash symlinks expected by OpenSSL. + These files are maintained by the update-ca-trust command. -/etc/ssl/certs/ca-certificates.crt:: - Classic filename, a symlink to /etc/ca-certificates/extracted/tls-ca-bundle.pem. - -/etc/ssl/cert.pem:: - Classic filename, a symlink to /etc/ca-certificates/extracted/tls-ca-bundle.pem. - -/etc/ssl/java/cacerts:: - Classic filename, contains a list of CA certificates trusted for TLS server authentication usage, in the Java keystore file format, without distrust information. +/etc/ca-certificates/extracted/edk2-cacerts.bin:: + File contains a list of CA certificates trusted for TLS server authentication usage, in the UEFI signature database format, without distrust information. This file is consolidated output created by the update-ca-trust command. AUTHOR |