RFR CSR for 8162628: Migrating cacerts keystore to password-less PKCS12 format
Weijun Wang
weijun.wang at oracle.com
Fri Aug 2 09:59:45 UTC 2019
Great. This is also easy for me.
--Max
> On Aug 2, 2019, at 5:20 PM, Michael Osipov <1983-01-06 at gmx.net> wrote:
>
>>> On Jun 1, 2019, at 7:17 PM, Michael Osipov <1983-01-06 at gmx.net> wrote:
>>>
>>> Can you please explain why not simple PEM bundles like OpenSSL have been
>>> chosen?
>>
>> Is that /etc/ssl/certs on Ubuntu? It's a directory containing a lot of PEM files. Do you prefer this style or a big file containing multiple PEM blocks?
>
> Hi Max,
>
> I prefer the latter. This works flawlessly for OpenSSL-based apps on FreeBSD, RHEL and HP-UX for me:
>
> RHEL:
> $ ll /etc/ssl/certs/ca-bundle.crt
> lrwxrwxrwx. 1 root root 49 2018-11-02 15:15 /etc/ssl/certs/ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
> FreeBSD:
> # ll /usr/local/etc/ssl/cert.pem
> -rw-r--r-- 1 root wheel 1073753 2019-07-31 10:14 /usr/local/etc/ssl/cert.pem
> HP-UX:
> # ll /opt/openssl/cert.pem
> -rw-r--r-- 1 root sys 1081003 2019-04-18 11:45 /opt/openssl/cert.pem
>
> These bundles contain public-known CAs from Mozilla as well as all intermediate and root CAs from our company:
> https://new.siemens.com/global/en/general/legal/ca-certificates.html
>
> I think this is the function doing the magic: https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_load_verify_locations.html
>
> Michael
More information about the security-dev
mailing list