misc/59421: certctl(8) should have a default site-local directory

To: misc-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: misc/59421: certctl(8) should have a default site-local directory
From: campbell+netbsd%mumble.net@localhost
Date: Wed, 14 May 2025 21:45:00 +0000 (UTC)

>Number:         59421
>Category:       misc
>Synopsis:       certctl(8) should have a default site-local directory
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    misc-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed May 14 21:45:00 +0000 2025
>Originator:     Taylor R Campbell
>Release:        current, 10
>Organization:
The NetBSD Certification.local
>Environment:
>Description:
The default /etc/openssl/certs.conf, used to configure the systemwide TLS trust anchors at /etc/openssl/certs, finds certificates from only one place: /usr/share/certs/mozilla/server.

We should add some other canonical path where site-local trust anchors can be added so that certctl(8) will automatically pick them up for TLS trust anchors.
>How-To-Repeat:
try to adapt, e.g., go-mkcert (https://github.com/FiloSottile/mkcert) to NetBSD without teaching it to edit the /etc/openssl/certs.conf file
>Fix:
Candidates for this bikeshed paint:

/usr/local/share/certs/server
/etc/openssl/certs.local

Discuss!

Prev by Date: NetBSD Nightly Trouble Ticket Report
Next by Date: Re: port-evbmips/59236 (Multiple segfaults in erlite3 boot)
Previous by Thread: port-evbarm/59419: KGDB build fails for evbarm
Next by Thread: toolchain/59422: gdb "randomly" fails on evbmipsn64-eb
Indexes:

Home | Main Index | Thread Index | Old Index