Runtime java cacerts generation
Ludwig Nussel
ludwig.nussel at suse.de
Thu Apr 15 08:52:20 PDT 2010
Matthias Klose wrote:
> On 15.04.2010 16:28, Michal Vyskocil wrote:
> > my brave colleague from security team is working on redesign of a certificates
> > system in SUSE[1]. For programs like Java requires an own format he wants to
> > be able to generate the new file after installation. The current approach
> > calling keytool for each certificate file is very slow and unusable. Each run
> > of keytool requires a start of whole JVM, which is not optimal for one small
> > file.
>
> you don't need to do it this way; have a look at the ca-certificates-java
> package file in Ubuntu: the certificates available in the ca-certificates
> package are pregenerated at build time, and just added at installation time.
> Runtime is below 1sec iirc for the installation.
Well, the intention was to no longer pre-generate anything at build
time. Directly using Java code to figure out which certificates need
to be added or removed avoids quite some shell hackery.
> A more interesting question would be the handling of private certificates; it
> currently works in Ubuntu, but you have to store the keystore password on disk
> for handling the cacerts file. It would be nice to be able to read more than one
> keystore.
You mean per user ca-certificates? That's a different problem to be
solved by someone else :-)
cu
Ludwig
--
(o_ Ludwig Nussel
//\
V_/_ http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
More information about the distro-pkg-dev
mailing list