Fwd: F20 Self Contained Change: Shared Certificate Tools
Stef Walter
stefw at redhat.com
Wed Jul 17 18:16:18 UTC 2013
On 12.07.2013 20:28, Toshio Kuratomi wrote:
> On Wed, Jul 10, 2013 at 01:22:37PM +0200, Jaroslav Reznik wrote:
>>
>> Because not all crypto implementations read their trusted information directly
>> from the dynamic database, the tool will take care of extracting things as
>> appropriate after making a change. This will enable administrators to run a
>> single command to add an anchor (and perform other tasks).
>>
> So it sounds like this is a modify and sync strategy? Are there other tools
> in the distribution that may modify the primary or the sync'd certificates
> that need to be changed so that they don't step on what p11-kit is doing?
If I'm understanding you correctly, then we already have such a
strategy. Admins modify files in /etc/pki/ca-trust and run
update-ca-trust (is that the sync you're talking about) which makes sure
all the legacy loaders of the certificates bundles get updated.
This proposal simply adds a tool so that admins don't have to diddle
files directly (although that is still supported).
Cheers,
Stef
More information about the devel
mailing list