RFR CSR for 8162628: Migrating cacerts keystore to password-less PKCS12 format
Michael Osipov
1983-01-06 at gmx.net
Fri Aug 2 17:37:30 UTC 2019
Thank you, looking forward to.
Am 2019-08-02 um 11:59 schrieb Weijun Wang:
> Great. This is also easy for me.
>
> --Max
>
>> On Aug 2, 2019, at 5:20 PM, Michael Osipov <1983-01-06 at gmx.net> wrote:
>>
>>>> On Jun 1, 2019, at 7:17 PM, Michael Osipov <1983-01-06 at gmx.net> wrote:
>>>>
>>>> Can you please explain why not simple PEM bundles like OpenSSL have been
>>>> chosen?
>>>
>>> Is that /etc/ssl/certs on Ubuntu? It's a directory containing a lot of PEM files. Do you prefer this style or a big file containing multiple PEM blocks?
>>
>> Hi Max,
>>
>> I prefer the latter. This works flawlessly for OpenSSL-based apps on FreeBSD, RHEL and HP-UX for me:
>>
>> RHEL:
>> $ ll /etc/ssl/certs/ca-bundle.crt
>> lrwxrwxrwx. 1 root root 49 2018-11-02 15:15 /etc/ssl/certs/ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
>> FreeBSD:
>> # ll /usr/local/etc/ssl/cert.pem
>> -rw-r--r-- 1 root wheel 1073753 2019-07-31 10:14 /usr/local/etc/ssl/cert.pem
>> HP-UX:
>> # ll /opt/openssl/cert.pem
>> -rw-r--r-- 1 root sys 1081003 2019-04-18 11:45 /opt/openssl/cert.pem
>>
>> These bundles contain public-known CAs from Mozilla as well as all intermediate and root CAs from our company:
>> https://new.siemens.com/global/en/general/legal/ca-certificates.html
>>
>> I think this is the function doing the magic: https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_load_verify_locations.html
>>
>> Michael
>
>
More information about the security-dev
mailing list