[Pulp-list] Qpid SSL on Pulp 2.4

Randy Barlow rbarlow at redhat.com
Tue Oct 28 14:20:19 UTC 2014

On 10/28/2014 09:04 AM, Ashby, Jason (IMS) wrote:
> Add your root and intermediary CA's to system CA bundle (copy ca-bundle.crt out to all consumers too):
> openssl x509 -in /etc/pki/pulp_certs/rootca.crt -text >> /etc/pki/tls/certs/ca-bundle.crt
> openssl x509 -in /etc/pki/pulp_certs/pulpca.crt -text >> /etc/pki/tls/certs/ca-bundle.crt

Hi Jason,

I think the above might become a problem the next time you update your
ca-certificates package. Red Hat OS's have a tool to help you with this
called update-ca-trust. It's man page is pretty decent, but the gist of
it is that you should stick CAs that you want to trust in
/etc/pki/ca-trust/source/anchors/, and then use that utility to add the
CAs that it finds there to the ca-bundle.crt file for you. This way it
will survive package updates to the CA bundle.

The first time you use update-ca-trust, you need to run it with the
enable flag, IIRC:

$ sudo update-ca-trust enable

Then, whenever you want to change the CAs you trust, run:

$ sudo update-ca-trust extract

Hope this helps!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20141028/748bf181/attachment.sig>

More information about the Pulp-list mailing list