mirror of
https://github.com/freebsd/freebsd-src
synced 2024-07-24 03:37:16 +00:00
bb302e707a
This kind of automagica got picked up in trusted/ prior to the initial commit, but never got applied over in blacklisted. Ideally no one will be using blacklisted/ to store arbitrary certs that they don't intend to blacklist, so we should just install anything that's in here rather than force consumer to first copy cert into place and then modify the file listing in the Makefile. Wise man once say: "it is better to restrict too much, than not enough. sometimes." |
||
|---|---|---|
| .. | ||
| blacklisted | ||
| trusted | ||
| MAca-bundle.pl | ||
| Makefile | ||
| README | ||
# $FreeBSD$ This directory contains the scripts to update the TLS CA Root Certificates that comprise the 'root trust store'. The 'updatecerts' make target should be run periodically by secteam@ specifically when there is an important change to the list of trusted root certificates included by Mozilla. It will: 1) Remove the old trusted certificates (cleancerts) 2) Download the latest certdata.txt from Mozilla (fetchcerts) 3) Split certdata.txt into the individual .pem files (updatecerts) Then the results should manually be inspected (svn status) 1) Any no-longer-trusted certificates should be moved to the blacklisted directory (svn mv) 2) any newly added certificates will need to be added (svn add) The following make targets exist: cleancerts: Delete the old certificates, run as a dependency of updatecerts. fetchcerts: Download the latest certdata.txt from the Mozilla NSS hg repo See the changelog here: https://hg.mozilla.org/projects/nss/log/tip/lib/ckfw/builtins/certdata.txt updatecerts: Runs a perl script (MAca-bundle.pl) on the downloaded certdata.txt to generate the individual certificate files (.pem) and store them in the trusted/ directory.