DEV Community

ZHANG, HENGMING
ZHANG, HENGMING

Posted on

certificate authority ( ca ) config for fedora distro

#fedora #certificate #authority #ca

certificate authority ( ca ) on fedora has managed by ca-bundle.trust.p11-kit in recent distributions , and their update method has changed to let old update methods outdated . therefore , i create this post to record my changes of ca management on feodra . 

no third parties / companies / govts certificates

i deleted all of those certificated included in the recent mozillia ca bundle , including the nostalgic cnnic certificates etc . only the oss one ( let's encrypt ) remined . this change irrivertiably puts some websites inaccessible ( github , etc . ) while minimal websites are on the table . 

start configuration

i configured two environments to use the config : 

  • application based environments ( those on /etc/pki/ca-trust/source , high priority and /usr/share/pki/ca-trust-source , low priority ) such as curl . 
  • browser based environments ( firefox , tor browser ) . 

the above two environments use different ca settings to config and manage certificates ( tls , ssl , java , edk2 , etc . ) . in order to config all envs to use one setting , each environment has to be configured separately . 

when started to config it , i had to be reminded , it was not enough to use the trust cli to config ( since it was unable to change read - only mozilla ca bundle ) and had to edit the original file while put # comment before each line . and it was still not done correctly . which was done alright was that i created a .bak file of the original file and moved the .bak file ( and the original one ) out of the dir above ( the one on /etc/pki/ca-trust/source directory ) , leaving only the commented or deleted lines of file in directory . then i executed sudo update-ca-trust , and all certs updated just in line . 

chain of logs

changing of the ca root certs on system config will put other configs collapsed and should be changed inaccordingly . which include : 

  • protocols that use ca certs ( xmpp , websockets , etc . ) 
  • applications that use tls , ssl , java , edk2 configs ( such as fedora mirrors , rpm repos ) . 
  • anything else . 

the road to self - managed ca certs

the best choice of internet pki ( public key infrastructure ) is managing certs ( probably including root certs ) by one themselves . to be easily managing and configuring ca in internet trust chains , personal solutions , e . g . openxpki and enterprise solutions ( hyperledger fabric with pkcs # 11 interface ) could be considered . 

Top comments (0)