Similar to the removal of $CERTBUNDLE prior to calling c_rehash in sbin/update-ca-certificates (see http://bugs.debian.org/cgi-bin/643667), we could (using vars, etc. - this is just an idea):
diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates index 5375950..72acc5a 100755 --- a/sbin/update-ca-certificates +++ b/sbin/update-ca-certificates @@ -128,6 +128,7 @@ then fi rm -f "$CERTBUNDLE" +rm -f /etc/ssl/certs/cacert.org.pem ADDED_CNT=$(wc -l < "$ADDED") REMOVED_CNT=$(wc -l < "$REMOVED") @@ -145,6 +146,7 @@ fi chmod 0644 "$TEMPBUNDLE" mv -f "$TEMPBUNDLE" "$CERTBUNDLE" +ln -sf /usr/share/ca-certificates/cacert.org/cacert.org.crt /etc/ssl/certs/cacert.org.pem echo "$ADDED_CNT added, $REMOVED_CNT removed; done." This would allow installation of concatenated pem for those that use it in configs for other services, gets it out of the way so the hash symlinks to the individual root.crt and class3.crt don't get stepped on, and gives us a path for deprecation of the chained cert later on. We can also document the use of SSLCACertificatePath instead of SSLCACertificateFile for Apache, for instance (for Jessie deprecation upgrade notes). -- Michael
signature.asc
Description: OpenPGP digital signature
