On Wed, 22 Feb 2023, Vladimir Petko wrote: >Just a small clarification, openssl itself allows importing a single >certificate and its chain and overwrites the store in the process, so >we need something like p11-kit. >Another grey area is ORACLE_TrustedKeyUsage attribute - at the moment
Ugh. How about doing it the “low-tech” way: – ship a minimal JKS keystore with bin:ca-certificates-java, generated at build time, that contains a manually vetted list of roots, perhaps just what’s relevant for Debian – use a Recommends to get at a JRE – with trigger, generate a full keystore, once a JRE is there (The shipped one would need to be in /usr/share/!(doc) and copied so overwriting it with the generated one works and we’ll probably need to track hashes of shipped ones so we can honour admin choices to override the keystore if needed.) bye, //mirabilos -- Infrastrukturexperte • tarent solutions GmbH Am Dickobskreuz 10, D-53121 Bonn • http://www.tarent.de/ Telephon +49 228 54881-393 • Fax: +49 228 54881-235 HRB AG Bonn 5168 • USt-ID (VAT): DE122264941 Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg **************************************************** /⁀\ The UTF-8 Ribbon ╲ ╱ Campaign against Mit dem tarent-Newsletter nichts mehr verpassen: ╳ HTML eMail! Also, https://www.tarent.de/newsletter ╱ ╲ header encryption! ****************************************************
