[Pulp-list] Qpid SSL on Pulp 2.4
Randy Barlow
rbarlow at redhat.com
Tue Oct 28 14:20:19 UTC 2014
On 10/28/2014 09:04 AM, Ashby, Jason (IMS) wrote:
> Add your root and intermediary CA's to system CA bundle (copy ca-bundle.crt out to all consumers too):
>
> openssl x509 -in /etc/pki/pulp_certs/rootca.crt -text >> /etc/pki/tls/certs/ca-bundle.crt
> openssl x509 -in /etc/pki/pulp_certs/pulpca.crt -text >> /etc/pki/tls/certs/ca-bundle.crt
Hi Jason,
I think the above might become a problem the next time you update your
ca-certificates package. Red Hat OS's have a tool to help you with this
called update-ca-trust. It's man page is pretty decent, but the gist of
it is that you should stick CAs that you want to trust in
/etc/pki/ca-trust/source/anchors/, and then use that utility to add the
CAs that it finds there to the ca-bundle.crt file for you. This way it
will survive package updates to the CA bundle.
The first time you use update-ca-trust, you need to run it with the
enable flag, IIRC:
$ sudo update-ca-trust enable
Then, whenever you want to change the CAs you trust, run:
$ sudo update-ca-trust extract
Hope this helps!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20141028/748bf181/attachment.sig>
More information about the Pulp-list
mailing list