Re: How to populate /etc/ssl/certs
- Reply: Andrea Venturoli : "Re: How to populate /etc/ssl/certs"
- In reply to: Andrea Venturoli : "How to populate /etc/ssl/certs"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 16 Dec 2021 02:03:50 UTC
On Wed, Dec 15, 2021 at 4:20 PM Andrea Venturoli <ml@netfence.it> wrote: > > > Hello. > > I've searched for this, but I didn't find an answer. > > How is /etc/ssl/certs populated? > > Does "make installworld" create the links for certificates in > /usr/share/certs/trusted? > Or should etcupdate? > Both; installworld rehashes once and the DESTDIR becomes populated with whatever's present at the time for the purposes of populating an image root or what-have-you. etcupdate will do it again, operating under the theory that it's running on the live system, which may have more roots present to grab than we did previously. > What about /usr/local/share/certs/? > I see on some of my machines a link to > /usr/local/share/certs/ca-root-nss.crt: the latter is installed by > security/ca_root_nss, but it doesn't seem to be the port that creates > the link... > > Also, I'm using ezjail and older jails have /etc/ssl/certs empty! > Newer jails' /etc/ssl/certs is almost identical to base's, although some > certs are missing (I suspect it was correctly created, but doesn't get > updated). > installworld has done it more or less since introduction, freebsd-update will do it as of more recent versions if that's how you're updating jails. 11.x didn't end up with any certs installed, we started with 12.2 (IIRC). Thanks, Kyle Evans