On Thu, 2006-08-03 at 22:32 +1000, Raif S. Naffah wrote: > hello Tom, > > On Thursday 03 August 2006 09:46, Tom Tromey wrote: > > >>>>> "Raif" == Raif S Naffah <[EMAIL PROTECTED]> writes: > > ... > > Raif> i downloaded and installed (own --prefix since i don't use a Debian > > Raif> distro) the latest stable ca-certificates package (from > > Raif> <http://packages.debian.org/stable/misc/ca-certificates>). > > > > I wasn't really paying close attention to this... but Anthony ran into > > an issue (see the fedora-java list) > > can you give me a url to that message/thread?
https://www.redhat.com/archives/fedora-devel-java-list/2006-July/thread.html#00061 But it seems Casey's emails never made it to that list. > > ...with an application because we > > don't install our own cacerts file. > > > > He pointed out /etc/pki/tls/certs/ca-bundle.crt (on Fedora, dunno > > about other distros) -- but this file seems to be in a format not > > understood by gkeytool. Is that intentional? It contains a number of > > certificates; gkeytool stops after reading the first one. > > > > FWIW this file comes from the openssl package. > > the file (ca-bundle.crt) looks like a flat list of x.509 certificates in > rfc-1421 format. its contents look like the collection of CA certificates > from the Debian ca-certificates package under the mozilla folder --i didn't > verify each individual certificate though. > > the gkeytool knows how to import _one_ certificate from such encoded files > with either the -import or the -cacert commands. the latter, coupled with > the import-cacerts.sh (in the scripts folder) can populate a cacerts > keystore, and was part of the email you're referring to. Did we actually add such a script? I cannot find it anymore. > the reason for the one certificate/file is that, under certain circumstances, > the user may be required to verify visually the hash of the certificate > before the tool can add the certificate, as a trusted one, to the keystore. > > > cheers; > rsn
