Hi Daiki: Your hints were right on the money. I was able to make my certificate permanent by: 1. Running "trust anchor /path/to/mycert.pem" 2. Editing "/etc/pki/ca-trust/source/mycert.p11-kit" and changing one line: certificate-category: other-entry to certificate-category: authority
With that change, "trust list ..." displayed my server and update-ca-trust added my server cert to the java cacerts file. Thanks so much! Allen On Thu, May 25, 2017 at 9:11 AM, Daiki Ueno <du...@redhat.com> wrote: > Hello, > > Allen Barnett <allenbarne...@gmail.com> writes: > > > /usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors > > --overwrite --purpose server-auth $DEST/java/cacerts > > [...] > > > Is there some way I can diagnose why p11-kit extract doesn't add my > > certificate to java/cacerts? I ran it under strace and it definitely > > opens and reads the PEM file. So, perhaps there's something about the > > certificate itself that doesn't meet some criterion of p11-kit? > > I would suggest to check if the filter condition given to "p11-kit > extract" matches your certificate, by using the "trust list" command: > > trust list --filter=ca-anchors --purpose server-auth > > If it doesn't include your certificate, then it's likely that the > certificate doesn't have sufficient attributes. In that case, you could > attach them by doing: > > - add the certificate using "trust anchor" command, rather than copying > the file directly into /etc/pki/ca-trust/source/anchors. The command > will create /etc/pki/ca-trust/source/your-cert.p11-kit > > - create a file, say /etc/pki/ca-trust/source/your-cert-trust.p11-kit, > containing a trust assertion, something like: > > [p11-kit-object-v1] > class: x-trust-assertion > x-assertion-type: x-anchored-certificate > x-purpose: "1.3.6.1.5.5.7.3.1" > -----BEGIN CERTIFICATE----- > ... > -----END CERTIFICATE----- > > cf: > > http://nmav.gnutls.org/2016/06/restricting-scope-of-ca-certificates.html > https://p11-glue.freedesktop.org/doc/pkcs11-trust-assertions/ > > Regards, > -- > Daiki Ueno >
_______________________________________________ p11-glue mailing list p11-glue@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/p11-glue
