HardenedBSD/secure/caroot/README


This directory contains the scripts to update the TLS CA Root Certificates
that comprise the 'root trust store'.

The 'updatecerts' make target should be run periodically by secteam@
specifically when there is an important change to the list of trusted root
certificates included by Mozilla.

It will:
	1) Remove the old trusted certificates (cleancerts)
	2) Download the latest certdata.txt from Mozilla (fetchcerts)
	3) Split certdata.txt into the individual .pem files (updatecerts)

Then the results should manually be inspected (git status)
	1) Any no-longer-trusted certificates should be moved to the
	untrusted directory (git mv)
	2) any newly added certificates will need to be added (git add)


The following make targets exist:

cleancerts:
	Delete the old certificates, run as a dependency of updatecerts.

fetchcerts:
	Download the latest certdata.txt from the Mozilla NSS hg repo
	See the changelog here:
		https://hg.mozilla.org/projects/nss/log/tip/lib/ckfw/builtins/certdata.txt

updatecerts:
	Runs a perl script (MAca-bundle.pl) on the downloaded certdata.txt
	to generate the individual certificate files (.pem) and store them
	in the trusted/ directory.
[1/3] Initial infrastructure for SSL root bundle in base This setup will add the trusted certificates from the Mozilla NSS bundle to base. This commit includes: - CAROOT option to opt out of installation of certs - mtree amendments for final destinations - infrastructure to fetch/update certs, along with instructions A follow-up commit will add a certctl(8) utility to give the user control over trust specifics. Another follow-up commit will actually commit the initial result of updatecerts. This work was done primarily by allanjude@, with minor contributions by myself. No objection from: secteam Relnotes: yes Differential Revision: https://reviews.freebsd.org/D16856 2019-10-02 03:05:29 +02:00
			`This directory contains the scripts to update the TLS CA Root Certificates`
			`that comprise the 'root trust store'.`

			`The 'updatecerts' make target should be run periodically by secteam@`
			`specifically when there is an important change to the list of trusted root`
			`certificates included by Mozilla.`

			`It will:`
			`1) Remove the old trusted certificates (cleancerts)`
			`2) Download the latest certdata.txt from Mozilla (fetchcerts)`
			`3) Split certdata.txt into the individual .pem files (updatecerts)`

caroot: Update VCS instructions 2022-11-07 12:24:09 +01:00			`Then the results should manually be inspected (git status)`
[1/3] Initial infrastructure for SSL root bundle in base This setup will add the trusted certificates from the Mozilla NSS bundle to base. This commit includes: - CAROOT option to opt out of installation of certs - mtree amendments for final destinations - infrastructure to fetch/update certs, along with instructions A follow-up commit will add a certctl(8) utility to give the user control over trust specifics. Another follow-up commit will actually commit the initial result of updatecerts. This work was done primarily by allanjude@, with minor contributions by myself. No objection from: secteam Relnotes: yes Differential Revision: https://reviews.freebsd.org/D16856 2019-10-02 03:05:29 +02:00			`1) Any no-longer-trusted certificates should be moved to the`
secure/caroot, certctl: Rename secure/caroot/blacklisted Old certctl commands still work for compatability, but are deprecated. Approved by: secteam (gordon) Differential Revision: https://reviews.freebsd.org/D30807 2021-06-18 14:29:15 +02:00			`untrusted directory (git mv)`
			`2) any newly added certificates will need to be added (git add)`
[1/3] Initial infrastructure for SSL root bundle in base This setup will add the trusted certificates from the Mozilla NSS bundle to base. This commit includes: - CAROOT option to opt out of installation of certs - mtree amendments for final destinations - infrastructure to fetch/update certs, along with instructions A follow-up commit will add a certctl(8) utility to give the user control over trust specifics. Another follow-up commit will actually commit the initial result of updatecerts. This work was done primarily by allanjude@, with minor contributions by myself. No objection from: secteam Relnotes: yes Differential Revision: https://reviews.freebsd.org/D16856 2019-10-02 03:05:29 +02:00

			`The following make targets exist:`

			`cleancerts:`
			`Delete the old certificates, run as a dependency of updatecerts.`

			`fetchcerts:`
			`Download the latest certdata.txt from the Mozilla NSS hg repo`
			`See the changelog here:`
			`https://hg.mozilla.org/projects/nss/log/tip/lib/ckfw/builtins/certdata.txt`

			`updatecerts:`
			`Runs a perl script (MAca-bundle.pl) on the downloaded certdata.txt`
			`to generate the individual certificate files (.pem) and store them`
			`in the trusted/ directory.`