summaryrefslogtreecommitdiff
path: root/debian/README.Debian
blob: 397d64908394d0eb3e9b42df805999b191970cea (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
The Debian Package ca-certificates
----------------------------------

This package includes PEM files of CA certificates to allow SSL-based
applications to check for the authenticity of SSL connections.

Please note that Debian can neither confirm nor deny whether the
certificate authorities whose certificates are included in this package
have in any way been audited for trustworthiness or RFC 3647 compliance.
Full responsibility to assess them belongs to the local system
administrator.

The CA certificates contained in this package are installed into
/usr/share/ca-certificates/.

The configuration file /etc/ca-certificates.conf is seeded with
trust information through Debconf.  Just call 'dpkg-reconfigure
ca-certificates' to adjust the settings to trust or disable the installed
certificate authorities.  By default, all installed certificate authorities
are configured to be trusted.

'update-ca-certificates' will then update /etc/ssl/certs/ which may be
used by various software in Debian.  It will also generate the hash
symlinks and generate a single-file version in
/etc/ssl/certs/ca-certificates.crt.  Some web browsers, email clients,
and other software that use SSL maintain their own CA trust database and
may not use the trusted CA certificates in this package.  Those packages
that *do* use ca-certificates should depend on this package.  Users can
see reverse dependencies with 'apt-cache showpkg ca-certificates'.

How to install local CA certificates
------------------------------------------------------------------

If you want to install local certificate authorities to be implicitly
trusted, please put the certificate files as single files ending with
".crt" into /usr/local/share/ca-certificates/ and re-run
'update-ca-certificates'.  If you remove local certificates from
/usr/local/share/ca-certificates/, you can remove symlinks by running
'update-ca-certificates --fresh'.  If you want to prepare a local
package of your certificates, you should depend on ca-certificates,
install the PEM files into /usr/local/share/ca-certificates/ as above
and call 'update-ca-certificates' in the package's postinst, and should
call 'update-ca-certificates --fresh' in the package's postrm.

An example source package for building a local CA certificate package,
using ca-certificates (>= 20130119) (since it uses triggers) can be
found in /usr/share/doc/ca-certificates/examples/ca-certificates-local/.
The README file in the above directory has step-by-step instructions for
building a local CA certificate package.

How certificates will be accepted into the ca-certificates package
------------------------------------------------------------------

 - Get it included in the Mozilla CA Certificate Store.
   https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/