help-guix
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: root certificate


From: Divan Santana
Subject: Re: root certificate
Date: Tue, 12 Jun 2018 09:10:30 +0200

address@hidden writes:

> On 06/11/2018 at 12:59 Joshua Branson writes:
>
>> Divan Santana <address@hidden> writes:
>>
>>> Hi Guix :)
>>>
>>> How does one import a root certificate for GuixSD?
>>
>> This probably isn't helpful, but what is a root certificate?
>>
>>>
>>> I didn't see it in the manual.
>>>
>>> (Hopefully I didn't miss it. I need to read up on using info within Emacs
>>> better.)
>>> --
>>> Divan
>
> Hello Divan,
>
> If you want to a bundle of standard CA certificates install "nss-certs".
> It is probably already be installed as a system package since most of
> the example GuixSd configs include it. But I have encountered at least
> one situation where I needed to also install in as a user package,
> e.g. 'guix package -i nss-certs'.
>
> For details please see ...
>
> (guix) Application Setup
>
> ... or ...
>
> https://www.gnu.org/software/guix/manual/guix.html

So in my case, I have a root CA certificate for our organisition and
many internal sites have a certificate issued from this CA.

I want to import this self signed root CA so all sites with certs issued
by this org CA is trusted OS wide.

To do this on Arch one can:

#+begin_src sh
  wget -O /etc/ca-certificates/trust-source/anchors/fnb-ca.pem 
http://http://fqdn/pub/org-ca.crt
  trust extract-compat
#+end_src

Debian Family
#+begin_src sh
  mkdir /usr/share/ca-certificates/extra
  wget -O /usr/share/ca-certificates/extra/fnb-ca.crt 
http://http://fqdn/pub/org-ca.crt
  dpkg-reconfigure ca-certificates
#+end_src

I was hoping one could do the above within the system manifest file
config.scm ?

Else perhaps we do:
  wget -O /etc/ca-certificates/trust-source/anchors/fnb-ca.pem 
http://http://fqdn/pub/org-ca.crt
  trust extract-compat

Doing a command like this would make most of the apps(curl/wget/browser) on the 
system
trust these sites.
--
Divan



reply via email to

[Prev in Thread] Current Thread [Next in Thread]