RFR CSR for 8162628: Migrating cacerts keystore to password-less PKCS12 format
Michael Osipov
1983-01-06 at gmx.net
Fri Aug 2 09:20:55 UTC 2019
> > On Jun 1, 2019, at 7:17 PM, Michael Osipov <1983-01-06 at gmx.net> wrote:
> >
> > Can you please explain why not simple PEM bundles like OpenSSL have been
> > chosen?
>
> Is that /etc/ssl/certs on Ubuntu? It's a directory containing a lot of PEM files. Do you prefer this style or a big file containing multiple PEM blocks?
Hi Max,
I prefer the latter. This works flawlessly for OpenSSL-based apps on FreeBSD, RHEL and HP-UX for me:
RHEL:
$ ll /etc/ssl/certs/ca-bundle.crt
lrwxrwxrwx. 1 root root 49 2018-11-02 15:15 /etc/ssl/certs/ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
FreeBSD:
# ll /usr/local/etc/ssl/cert.pem
-rw-r--r-- 1 root wheel 1073753 2019-07-31 10:14 /usr/local/etc/ssl/cert.pem
HP-UX:
# ll /opt/openssl/cert.pem
-rw-r--r-- 1 root sys 1081003 2019-04-18 11:45 /opt/openssl/cert.pem
These bundles contain public-known CAs from Mozilla as well as all intermediate and root CAs from our company:
https://new.siemens.com/global/en/general/legal/ca-certificates.html
I think this is the function doing the magic: https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_load_verify_locations.html
Michael
More information about the security-dev
mailing list