root CA certs should be removed from illumos-gate
Currently, illumos-gate includes a number of CA certs in usr/src/cmd/cmd-crypto/etc/CA-certs which were evidently pulled out of libnssckbi.so from the Mozilla NSS distribution. It also includes a handful of Sun CA certs (which are presumably controlled by Oracle now). The current CA cert collection is stale.
The root CA's should be removed from illumos-gate, distributions can include CA's as they feel appropriate.
On initial review it looks like the crypto/ca-certificates package will be removed entirely, and the Sun/Oracle CA certs will be removed from the SUNWcs package.
Updated by Paul Henson about 8 years ago
- File crypto-ca-certificates.tgz crypto-ca-certificates.tgz added
- File SUNWcs-certs.tgz SUNWcs-certs.tgz added
Attached are two tarballs of the certificates removed from illumos-gate by this issue. crypto-ca-certificates.tgz contains all of the root CA certificates and openssl hashed links that were in the package crypto/ca-certificates. SUNWcs-certs.tgz contains the Sun specific CA certificates that were part of the SUNWcs package.
After upgrading to a version of illumos-gate that has removed these certificates, you can restore them if necessary by simply extracting one or both of these tarballs in the root directory:
cd / && tar xvf /path/to/crypto-ca-certificates.tgz
Updated by Garrett D'Amore about 8 years ago
- Status changed from New to Resolved
- % Done changed from 0 to 100
- Tags deleted (
Author: Paul B. Henson <firstname.lastname@example.org>
Date: Tue Nov 6 23:49:51 2012 -0800
3310 root CA certs should be removed from illumos-gate
Reviewed by: Garrett D'Amore <email@example.com>
Approved by: Dan McDonald <firstname.lastname@example.org>