John Klos <john%ziaspace.com@localhost> writes: > Is there a better way to install and update trusted root certificates > in NetBSD? The recommendation of using security/mozilla-rootcerts from > pkgsrc isn't a good one; first, it assumes that a system has NO other > certificates (/etc/openssl/certs/ must be empty), and second, it > leaves a mess in /etc/openssl/certs/, then creates > /etc/ssl/certs/ca-certificates.crt, which programs don't use by > default. That sounds buggy and we should probably discuss/fix. Why does it assume /etc/oepnssl/certs is empty? It seems like it should make symlinks for the certs it adds, and not make symlinks for other certs that happen to be there, and this should be easy to fix. > Should people and programs be using /etc/ssl/certs/, or > /etc/openssl/certs/? Why would mozilla-rootcerts use both? This > doesn't seem to make sense. /etc/ssl is news to me. It seems there should be one place for all of openssl, in terms of configuring trust anchors, and it should work for base and pkgsrc the same way.
Attachment:
pgpOvnKcZHyyz.pgp
Description: PGP signature