Project

General

Profile

Feature #3310

root CA certs should be removed from illumos-gate

Added by Paul Henson about 8 years ago. Updated about 8 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
system data
Start date:
2012-10-26
Due date:
% Done:

100%

Estimated time:
Difficulty:
Bite-size
Tags:
Gerrit CR:

Description

Currently, illumos-gate includes a number of CA certs in usr/src/cmd/cmd-crypto/etc/CA-certs which were evidently pulled out of libnssckbi.so from the Mozilla NSS distribution. It also includes a handful of Sun CA certs (which are presumably controlled by Oracle now). The current CA cert collection is stale.

The root CA's should be removed from illumos-gate, distributions can include CA's as they feel appropriate.

On initial review it looks like the crypto/ca-certificates package will be removed entirely, and the Sun/Oracle CA certs will be removed from the SUNWcs package.


Files

crypto-ca-certificates.tgz (124 KB) crypto-ca-certificates.tgz tarball of removed package crypto/ca-certificates Paul Henson, 2012-11-06 07:39 PM
SUNWcs-certs.tgz (5.81 KB) SUNWcs-certs.tgz tarball of Sun certs removed from SUNWcs package Paul Henson, 2012-11-06 07:39 PM
#1

Updated by Paul Henson about 8 years ago

Attached are two tarballs of the certificates removed from illumos-gate by this issue. crypto-ca-certificates.tgz contains all of the root CA certificates and openssl hashed links that were in the package crypto/ca-certificates. SUNWcs-certs.tgz contains the Sun specific CA certificates that were part of the SUNWcs package.

After upgrading to a version of illumos-gate that has removed these certificates, you can restore them if necessary by simply extracting one or both of these tarballs in the root directory:

cd / && tar xvf /path/to/crypto-ca-certificates.tgz

#2

Updated by Garrett D'Amore about 8 years ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100
  • Tags deleted (needs-triage)

Integrated in:

commit 520b7dcb0ddb3a8e36db755a9c840615df68b020
Author: Paul B. Henson <>
Date: Tue Nov 6 23:49:51 2012 -0800

3310 root CA certs should be removed from illumos-gate
Reviewed by: Garrett D'Amore &lt;&gt;
Approved by: Dan McDonald &lt;&gt;

Also available in: Atom PDF