Package: ca-certificates Version: 20070303 Severity: wishlist I have organization-private CA certificates which I would like to place in Debian packages so that they are easy to deploy and maintain one many computers. Since they are organization-private it is not appropriate to request that they be included with the ca-certificates package nor in the public Debian repository (they will be found in private repositories).
Yet I would like to use the facilities provided by ca-certificates to help maintain these certificates. The advantage of doing this is that there remains only one centralized place where the list of trusted certificates is maintained, and the user can still use "dpkg-reconfigure ca-certificates" to view and maintain the list, including the certificates that have been installed as seperate packages. However I did not find any documentation concerning how to make use of the facilities of ca-certificates. This bug is a wishlist request to document a recommended (official?) method. The approach I have already tried is this: my package depends on ca-certificates and installs a certificate in /usr/share/ca-certificates; in the postinst it adds an item to /etc/ca-certificates.conf and calls update-ca-certificates; in the postrm it removes the item from /etc/ca-certificates.conf and calls update-ca-certificates. This approach seems to play well with ca-certificates but I am concerned that it is incorrect because I am modifying a configuration file that belongs to a different package (/etc/ca-certificates.conf). (Note: I am assuming that a user who installs the extra certificate's package desires to trust it, otherwise they would not install the package. That is why I add the certificate to /etc/ca-certificates.conf automatically. Even so, the user can disable the certificate afterwards without removing the package with "dpkg-reconfigure ca-certificates".) Possible alternate approches would be to tweak ca-certificate's debconf preferences in the extra certificate's package's postinst (even worse behaviour, I am afraid), or install a certificate directly in /etc/ssl/certs and not integrate with ca-certificates at all (but should a packge install files in the configuration directory /etc?), or have ca-certificates provide an official API to register and unregister extra certificates (à la defoma, etc...) If you agree that it is a good idea to allow other packages to install extra certificates to be managed together with those included in ca-certificates, then I encourage you to document the process by which this should be done. -Phil -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (x86_64) Shell: /bin/sh linked to /bin/dash Kernel: Linux 2.6.18-6-amd64 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages ca-certificates depends on: ii debconf [debconf-2.0] 1.5.11etch2 Debian configuration management sy ii openssl 0.9.8c-4etch3 Secure Socket Layer (SSL) binary a ca-certificates recommends no packages. -- debconf information excluded -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
