Peer's certificate issuer is unknown while certificates have been added
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Sep 21 17:14:29 CEST 2012
On 09/20/2012 05:55 PM, Daniel Kahn Gillmor wrote:
> That said, if you *do* want to add trusted root CAs to a debian-derived
> system that aren't already shipped in the ca-certificates package, you
> probably don't want to tamper with the contents of
> /usr/share/ca-certificates directly. That part of the filesystem is
> controlled by the ca-certificates package.
>
> Instead, for any CA that you want to add to a system as the admin, you
> only need to drop a world-readable PEM-encoded file containing the CA's
> certificate into /usr/share/ca-certificates/, and then re-run
> "update-ca-certificates" as the superuser. This will create links
> properly under /etc/ssl/certs, and will include them in
> /etc/ssl/ca-certificates.crt.
>
gah -- the above is wrong in a very confusing way, apologies!
/usr/share/ca-certificates
is controlled by the ca-certificates package.
But the local system administrator has free reign over:
/usr/local/share/ca-certificates
note the "/local/", which i sloppily left out of my original next.
files in the latter directory are automatically added to the system
default list of trusted root authorities whenever update-ca-certificates
is run.
sorry for adding to the confusion,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20120921/32a1e0db/attachment.pgp>
More information about the Gnutls-help
mailing list