KaarPux Package: certdata¶

CA Certificates¶

The Mozilla trusted Certification Authority (CA) certificates are used in KaarPux as trusted root certificates for Mozilla applications (e.g. KaarPux Package: firefox), but also for other applications, such as OpenSSL (KaarPux Package: openssl) and Java (KaarPux Package: openjdk-cacerts).

The certificates are found in a single file (certdata.txt) from Mozilla Network Security Services (NSS).

Certificate data is kept in /etc/ssl/certs.

The certdata.txt is processed by mk-ca-bundle.pl, which is a slightly modified version of curl mk-ca-bundle.pl, which creates ca-bundle.crt and *.pem files.

Additional CA Certificate¶

We also install the SPI CA root certificate from Software in the Public Interest.

This is used by e.g. alioth.debian.org. Note that this certificate is not automatically imported into e.g. KaarPux Package: firefox.

Certificates from Mozilla¶

It seems that the cannonical source for certificates in Mozilla is hg.mozilla.org/projects/nss. So this is where to look to understand why certain certificates have been included or excluded.

Apparently, the certdata.txt “moves” through the Mozilla trees as follows:

• nss
• mozilla-central
• mozilla-aurora
• mozilla-beta
• mozilla-release

In KaarPux we generally pick the latest mozilla-release.

Updating¶

Browse to the tip of mozilla-release, to get the latest released version.

Select file next to certdata.txt.

You should now have a URL like http://hg.mozilla.org/mozilla-release/file/fe0b9a75b342/security/nss/lib/ckfw/builtins/certdata.txt, where the checkin like fe0b9a75b342 is the parameter you need to change for the version: in certdata.yaml

mk-ca-bundle.pl¶

You may also want to verify, that there is no update to curl mk-ca-bundle.pl, newer than KaarPux mk-ca-bundle.pl

Dependencies¶