From Fedora Project Wiki

Shared Certificate Tools

Summary

Fedora now has infrastructure for sharing system trusted certificates between the various crypto libraries.

Tools are being worked on for adding/removing these shared trusted certificates, as well as blacklisted certificates. This is being worked on upstream in the p11-kit project.

This change integrates that upstream work into Fedora.

Owner

  • Name: Stef Walter
  • Email: stefw@redhat.com
  • Release notes owner:

Current status

Detailed Description

A tool will be added to the p11-kit-trust package which can be used to perform the following actions:

  • Add a trust anchor
  • Disable a trust anchor
  • Remove an added trust anchor
  • Blacklist a certificate or key
  • Remove an blacklisted certificate or key

Because not all crypto implementations read their trusted information directly from the dynamic database, the tool will take care of extracting things as appropriate after making a change. This will enable administrators to run a single command to add an anchor (and perform other tasks).

Benefit to Fedora

This is the next incremental step in the Shared System Certificate work. Fedora will become easier to manage for administrators or system builders.

Scope

p11-kit has had work done to have the trust module store changes. The initial tool has been written upstream. Remainder of the tool needs completion.

The ca-certificates package will need some minor tweaks to make sure the new tools integrate correctly with it.

Although this feature can potentially affect a large number of packages, the implementation is well bounded. It is limited to a p11-kit (with one or two lines changed in ca-certificates).

  • Proposal owners: stefw
  • Other developers: kaie (for ca-certificates)
  • Release engineering: N/A (not a System Wide Change)
  • Policies and guidelines: N/A (not a System Wide Change)

Upgrade/compatibility impact

It is our aim that no upgrade will be needed. We explicitly did not publish the relevant data formats in previous versions in Fedora 19. There should be no need to migrate data, as there has been no data stored by the trust module yet.

ca-certificates package will have some minor tweaks in concert with p11-kit.

How To Test

  • A test day will be prepared for this change.
  • Further information for testing will appear here, with relevant commands to run.

User Experience

  • The administrator's user experience will change. In Fedora 19 they had to place a file in a certain special directory, and then run 'update-ca-trust'. In Fedora 20 they will run a simple command which performs all relevant actions.

Dependencies

N/A (not a System Wide Change)

Contingency Plan

  • We will not change the Fedora 19 behavior. This new functionality is built on top of it.
  • A revert to Fedora 19 is possible as a contingency.
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? N/A (not a System Wide Change)

Documentation

There will be manual pages and documentation. In addition at this point a blog post will be written to explain the system.

Release Notes

  • Release notes will be provided.