Where to place the common root CA certs

DJ Lucas dj at linuxfromscratch.org
Mon Mar 23 20:36:57 PDT 2009


DJ Lucas wrote:
>
> =================================
> patch -Np1 -i ../openssl-0.9.8j-fix_manpages-1.patch &&
> tar -vxf ../openssl-certs-6.4.tar.bz2 &&
>   
Okay, new OpenSSL instructions:

http://www.linuxfromscratch.org/~dj/openssl-certs-20090323.tar.bz2

a6e9998a9f4ee96f59de9d45137e3000  openssl-certs-20090323.tar.bz2


===================
patch -Np1 -i ../openssl-0.9.8j-fix_manpages-1.patch &&
tar -xvf ../openssl-certs-20090323.tar.bz2 &&
./config --prefix=/usr \
         --openssldir=/etc/ssl \
         shared \
         zlib-dynamic &&
make
===================
and as the root user:
===================
make MANDIR=/usr/share/man install &&
cp -v -r certs /etc/ssl &&
install -v -d -m755 /usr/share/doc/openssl-0.9.8j &&
cp -v -r doc/{HOWTO,README,*.{txt,html,gif}} \
    /usr/share/doc/openssl-0.9.8j &&
for pem in /etc/ssl/certs/*.pem
do
    cat $pem
    echo ""
done > /etc/ssl/ca-bundle.crt
===================

Is everyone OK with that approach?  Anyone care?  :-)   I will remove 
the Root Certificates page and add an explanation for the added commands 
that explains the issue.  The only question I have left is how 
frequently to update the certificates, as it probably shouldn't be 
automated....and where/how to host the tar ball (doubt we want a tar 
ball in the SVN tree).

-- DJ Lucas


-- 
This message has been scanned for viruses and
dangerous content, and is believed to be clean.




More information about the blfs-dev mailing list