Feature #3310
root CA certs should be removed from illumos-gate
100%
Description
Currently, illumos-gate includes a number of CA certs in usr/src/cmd/cmd-crypto/etc/CA-certs which were evidently pulled out of libnssckbi.so from the Mozilla NSS distribution. It also includes a handful of Sun CA certs (which are presumably controlled by Oracle now). The current CA cert collection is stale.
The root CA's should be removed from illumos-gate, distributions can include CA's as they feel appropriate.
On initial review it looks like the crypto/ca-certificates package will be removed entirely, and the Sun/Oracle CA certs will be removed from the SUNWcs package.
Files
History
Updated by Paul Henson over 7 years ago
Updated by - File crypto-ca-certificates.tgz crypto-ca-certificates.tgz added
- File SUNWcs-certs.tgz SUNWcs-certs.tgz added
Attached are two tarballs of the certificates removed from illumos-gate by this issue. crypto-ca-certificates.tgz contains all of the root CA certificates and openssl hashed links that were in the package crypto/ca-certificates. SUNWcs-certs.tgz contains the Sun specific CA certificates that were part of the SUNWcs package.
After upgrading to a version of illumos-gate that has removed these certificates, you can restore them if necessary by simply extracting one or both of these tarballs in the root directory:
cd / && tar xvf /path/to/crypto-ca-certificates.tgz
Updated by Garrett D'Amore over 7 years ago
Updated by - Status changed from New to Resolved
- % Done changed from 0 to 100
- Tags deleted (
needs-triage)
Integrated in:
commit 520b7dcb0ddb3a8e36db755a9c840615df68b020
Author: Paul B. Henson <henson@acm.org>
Date: Tue Nov 6 23:49:51 2012 -0800
3310 root CA certs should be removed from illumos-gate
Reviewed by: Garrett D'Amore <garrett@damore.org>
Approved by: Dan McDonald <danmcd@nexenta.com>