Looking at the generated /etc/ssl/certs/ hash directory, I find the following two links:
My interpretation is that ca-root-nss.crt is mapped to the same certificate as AC_RAIZ_FNMT-RCM.pem. No other certificates in the ca-file type ca-root-nss.crt is mapped as no other hash links maps to it.
I know that I can exclude it by changing the environment TRUSTPATH to exclude the installation directory of the ca-root-nss package but as this file is also installed as a link /etc/ssl/cert.pem this means that if I exclude it, the two trust paths CAfile=/etc/ssl/cert.pem and CAdir=/etc/ssl/certs/ differs, specifically any local certs added via /usr/local/etc/ssl/certs/ is only in the CAdir path.
I know that the portsecurity/ca_root_nss describes replacing the the different cert.pem files so the port does not overwrite them but that is after the installation and my trip up users as certctl is run after freebsd-update so a host may end up in this split situation if the user don't recognise this comment. If certctl should take precedence then it needs a refresh command that also overrates the /etc/ssl/cert.pem.
Why is this so? Am I missing something?
Either if the certificates of ca-root-nss.crt should be included, it should be split up before being hashed by certctl or the the port and base system needs to hash this out, maybe with a flavour of ca-root-nss that do not install the links.
These two things just feels like the are pulling in different directions.
So, what is the thought on this?
Are everyone using custom scripts to solve this, especially regarding pushing the host ca data to Java?
Code:
lrwxr-xr-x 1 root wheel 53B May 22 14:42 cd8c0d63.0 -> ../../../usr/share/certs/trusted/AC_RAIZ_FNMT-RCM.pem
lrwxr-xr-x 1 root wheel 46B May 22 14:42 cd8c0d63.1 -> ../../../usr/local/share/certs/ca-root-nss.crtI know that I can exclude it by changing the environment TRUSTPATH to exclude the installation directory of the ca-root-nss package but as this file is also installed as a link /etc/ssl/cert.pem this means that if I exclude it, the two trust paths CAfile=/etc/ssl/cert.pem and CAdir=/etc/ssl/certs/ differs, specifically any local certs added via /usr/local/etc/ssl/certs/ is only in the CAdir path.
I know that the portsecurity/ca_root_nss describes replacing the the different cert.pem files so the port does not overwrite them but that is after the installation and my trip up users as certctl is run after freebsd-update so a host may end up in this split situation if the user don't recognise this comment. If certctl should take precedence then it needs a refresh command that also overrates the /etc/ssl/cert.pem.
Why is this so? Am I missing something?
Either if the certificates of ca-root-nss.crt should be included, it should be split up before being hashed by certctl or the the port and base system needs to hash this out, maybe with a flavour of ca-root-nss that do not install the links.
These two things just feels like the are pulling in different directions.
So, what is the thought on this?
Are everyone using custom scripts to solve this, especially regarding pushing the host ca data to Java?
