Runtime java cacerts generation
Matthias Klose
doko at ubuntu.com
Thu Apr 15 07:58:44 PDT 2010
On 15.04.2010 16:28, Michal Vyskocil wrote:
> Hi all,
>
> my brave colleague from security team is working on redesign of a certificates
> system in SUSE[1]. For programs like Java requires an own format he wants to
> be able to generate the new file after installation. The current approach
> calling keytool for each certificate file is very slow and unusable. Each run
> of keytool requires a start of whole JVM, which is not optimal for one small
> file.
you don't need to do it this way; have a look at the ca-certificates-java
package file in Ubuntu: the certificates available in the ca-certificates
package are pregenerated at build time, and just added at installation time.
Runtime is below 1sec iirc for the installation.
A more interesting question would be the handling of private certificates; it
currently works in Ubuntu, but you have to store the keystore password on disk
for handling the cacerts file. It would be nice to be able to read more than one
keystore.
Matthias
More information about the distro-pkg-dev
mailing list