Tom Tromey wrote: >>>>>> "Raif" == Raif S Naffah <[EMAIL PROTECTED]> writes: > > [ cacerts ] > >>> No, I was thinking of the GNU/Linux distros. They seem to have their >>> own collection of "trusted" ca-certs already. So I was wondering >>> whether we could somehow reuse those easily (for example during >>> installation time). > > Raif> i downloaded and installed (own --prefix since i don't use a Debian > Raif> distro) the latest stable ca-certificates package (from > Raif> <http://packages.debian.org/stable/misc/ca-certificates>). > > I wasn't really paying close attention to this... but Anthony ran into > an issue (see the fedora-java list) with an application because we > don't install our own cacerts file. > > He pointed out /etc/pki/tls/certs/ca-bundle.crt (on Fedora, dunno > about other distros) -- but this file seems to be in a format not > understood by gkeytool. Is that intentional? It contains a number of > certificates; gkeytool stops after reading the first one. > > FWIW this file comes from the openssl package. >
Note, Sun's keytool does the same thing: it only imports the first certificate in the file. This is more likely a limitation of the keytool program -- you can't import without giving a name to what you are importing, and you can only specify one name at a time. We may want to add a 'import-bundle' command to gkeytool: if you give it a ca-bundle file, it imports all certificates in the bundle, and automatically assigns alias names to each. Another great solution would be to write a simple KeyStore implementation that reads files like this, because they seem to be pretty common.
