[OmniOS-discuss] ssl root CA certs
Eric Sproul
esproul at omniti.com
Fri Oct 12 11:53:07 EDT 2012
On Fri, Oct 12, 2012 at 10:14 AM, Eric Sproul <esproul at omniti.com> wrote:
> The certs in /usr/ssl/certs come from the crypto/ca-certificates
> package which is part of illumos-gate. OpenSSL is not-- we build that
> ourselves, mostly following the way it was built previously in
> OpenSolaris/OI, which is to say, without any connection to
> crypto/ca-certificates. I'll look into what might do there; thanks
> for pointing it out.
I found where the CA certs live in illumos-gate:
http://src.illumos.org/source/xref/illumos-gate/usr/src/cmd/cmd-crypto/etc/CA-certs/
It looks like these certs are at least 18 months old, judging solely
by the mod times. I'm not certain how often they get updated, but
given the changes I've observed in the bundle we get from haxx.se,
this collection almost certainly contains stale data. Given that, do
we still want to encourage the use of that set or just point apps at
/etc/cacert.pem which is more up to date?
More information about the OmniOS-discuss
mailing list