[Pulp-list] Qpid SSL on Pulp 2.4

Ashby, Jason (IMS) AshbyJ at imsweb.com
Tue Oct 28 15:03:15 UTC 2014

Yes, that's very helpful.  Didn't know that existed. I've been readding my CA to it after OS updates myself, but this is much better.

On Oct 28, 2014, at 10:20 AM, Randy Barlow <rbarlow at redhat.com> wrote:

> On 10/28/2014 09:04 AM, Ashby, Jason (IMS) wrote:
> Add your root and intermediary CA's to system CA bundle (copy ca-bundle.crt out to all consumers too):
> openssl x509 -in /etc/pki/pulp_certs/rootca.crt -text >> /etc/pki/tls/certs/ca-bundle.crt
> openssl x509 -in /etc/pki/pulp_certs/pulpca.crt -text >> /etc/pki/tls/certs/ca-bundle.crt

Hi Jason,

I think the above might become a problem the next time you update your
ca-certificates package. Red Hat OS's have a tool to help you with this
called update-ca-trust. It's man page is pretty decent, but the gist of
it is that you should stick CAs that you want to trust in
/etc/pki/ca-trust/source/anchors/, and then use that utility to add the
CAs that it finds there to the ca-bundle.crt file for you. This way it
will survive package updates to the CA bundle.

The first time you use update-ca-trust, you need to run it with the
enable flag, IIRC:

$ sudo update-ca-trust enable

Then, whenever you want to change the CAs you trust, run:

$ sudo update-ca-trust extract

Hope this helps!


Information in this e-mail may be confidential. It is intended only for the addressee(s) identified above. If you are not the addressee(s), or an employee or agent of the addressee(s), please note that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this e-mail in error, please notify the sender of the error.

More information about the Pulp-list mailing list