update on ca-certificates, introducing the ca-legacy utility

Kai Engert kaie at kuix.de
Fri Nov 21 13:03:00 UTC 2014

On Fri, 2014-10-31 at 14:05 +0100, Kai Engert wrote:
> All legacy root CA certificates, which seem to be required for full
> compatibility with either OpenSSL or GnuTLS, will continue to be
> included and enabled in the ca-certificates package.
> For users who are willing to accept the breakage and prefer using the
> latest trust, only, we provide a mechanism to disable the legacy trust.
> I've described the proposed approach in more detail at
> https://bugzilla.redhat.com/show_bug.cgi?id=1158197
> I've pushed experimental packages with this implementation to Rawhide
> and updates-testing for Fedora 21. I have disabled the karma automatism,
> because I'll be offline for the next 2 weeks, and don't want things to
> go live while I'm away. I think it will be helpful to collect test
> feedback during that time, and see if it's suitable, and make a
> ship/no-ship decision of this approach later.

In the meantime, while I was on vacation, the above has been
(accidentally) pushed as a stable update for Fedora 21 already:

It seems it will be included in the final release of Fedora 21. Given
that we keep legacy trust enabled, and given that I haven't seen any
problem reports, it's probably OK.

Using the new ca-legacy utility, users/administrators who are willing to
accept the compatibility issues and who prefer to closely follow the
Mozilla CA trust decisions, can disable trust for the legacy root CA
certificates as a systemwide configuration, by executing this command as
  ca-legacy disable

The configuration will be remembered in /etc/pki/ca-trust/ca-legacy.conf
and will be used on future package upgrades, when additional
certificates are moved to the legacy state.

If required, it's possible to undo the configuration and restore to the
current default, using:
  ca-legacy enable

The current configuration can be shown using:
  ca-legacy check

Regarding Fedora 19 and Fedora 20:

On F19/F20, GnuTLS is also affected by the breakage, when disabling
trust for the legacy CAs, because GnuTLS has been enhanced in Fedora 21
and later, only.

Updated packages for F19 and F20, that provide the update to version 2.1
of the ca-certificates list, and which also include the new ca-legacy
utility and configuration mechanism, have been pushed to


More information about the devel mailing list