Hi, /etc/ca-certificates.conf is an important file. It allows the user to disable any in app-misc/ca-certificates included certificate without messing with /etc/ssl/... (which would be wrong way to do that BTW). Header from Gentoo (app-misc/ca-certificates-20140223): # Automatically generated by app-misc/ca-certificates-20140223 # Mon Mar 17 13:00:43 UTC 2014 # Do not edit. Header from Debian: # This file lists certificates that you wish to use or to ignore to be # installed in /etc/ssl/certs. # update-ca-certificates(8) will update /etc/ssl/certs by reading this file. # # This is autogenerated by dpkg-reconfigure ca-certificates. # Certificates should be installed under /usr/share/ca-certificates # and files with extension '.crt' is recognized as available certs. # # line begins with # is comment. # line begins with ! is certificate filename to be deselected. # Reproducible: Always
that header is generated on the fly by Debian in their postinst. not exactly easy to extract ...
hmm, actually in the current system, the header is correct. you cannot edit that file because we will simply blow it away on the next emerge (by design). the file is explicitly masked from config protection. you could add a hook in /etc/ca-certificates/update.d, but that's a hack at best. the only option atm is to actually rm the relevant file.
I've just bumped into this problem, and with some help found out that certs placed in /usr/local/share/ca-certificates/ are added by udpate-ca-certificates into /etc/ssl/certs/ca-certificates.crt even if they're not listed in /etc/ca-certificates.conf. That allows for addition of trusted certs. I'm not sure how to proceed if someone wanted to disable a certificate provided upstream.
How about writing an eselect module ? I had one in the past though I lost it somewhere in bitrot.
The man page for update-ca-certificates(8) reads as though the canonical way to configure this would be the /etc/ca-certificates.conf file. If that's not the case on Gentoo, consider updating that man page, and also the header comment to suggest alternatives like the use of /usr/local/share/ca-certificates/. Of course, having the file actually configurable would be preferable. Perhaps you could have a separate file which gets appended to /etc/ca-certificates.conf upon install, and which could contain additional names as well as !-prefixed removals? Then the header should suggest editing this other file instead, together with instructions on how to rebuild the combined list.