Yes, that's very helpful. Didn't know that existed. I've been readding my CA to it after OS updates myself, but this is much better.
On Oct 28, 2014, at 10:20 AM, Randy Barlow <rbar...@redhat.com> wrote: > On 10/28/2014 09:04 AM, Ashby, Jason (IMS) wrote: > Add your root and intermediary CA's to system CA bundle (copy ca-bundle.crt > out to all consumers too): > > openssl x509 -in /etc/pki/pulp_certs/rootca.crt -text >> > /etc/pki/tls/certs/ca-bundle.crt > openssl x509 -in /etc/pki/pulp_certs/pulpca.crt -text >> > /etc/pki/tls/certs/ca-bundle.crt Hi Jason, I think the above might become a problem the next time you update your ca-certificates package. Red Hat OS's have a tool to help you with this called update-ca-trust. It's man page is pretty decent, but the gist of it is that you should stick CAs that you want to trust in /etc/pki/ca-trust/source/anchors/, and then use that utility to add the CAs that it finds there to the ca-bundle.crt file for you. This way it will survive package updates to the CA bundle. The first time you use update-ca-trust, you need to run it with the enable flag, IIRC: $ sudo update-ca-trust enable Then, whenever you want to change the CAs you trust, run: $ sudo update-ca-trust extract Hope this helps! ________________________________ Information in this e-mail may be confidential. It is intended only for the addressee(s) identified above. If you are not the addressee(s), or an employee or agent of the addressee(s), please note that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this e-mail in error, please notify the sender of the error. _______________________________________________ Pulp-list mailing list Pulp-list@redhat.com https://www.redhat.com/mailman/listinfo/pulp-list