Re: root certificate

help-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: root certificate

From:	Mark H Weaver
Subject:	Re: root certificate
Date:	Wed, 13 Jun 2018 17:25:56 -0400
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)

Hi Divan,

Divan Santana <address@hidden> writes:

> How does one import a root certificate for GuixSD?
>
> I didn't see it in the manual.

You didn't see it because we don't yet have a polished way to do this,
unfortunately.  The good news is that we've already laid the groundwork
for supporting local certificate stores.

Our 'le-certs' package in gnu/packages/certs.scm is a good template for
making custom certificate packages, and can be easily adapted to your
needs.

For now, you could simply make a copy of the 'le-certs' package, but
with a different package name and different certificate inputs.

Something like this (untested):

--8<---------------cut here---------------start------------->8---
(define-public my-root-cert
  (package
    (name "my-root-cert")
    (version "0")
    (source #f)
    (build-system trivial-build-system)
    (arguments
     '(#:modules ((guix build utils))
       #:builder
       (begin
         (use-modules (guix build utils))
         (let ((root (assoc-ref %build-inputs "my-root-cert.pem"))
               (out (string-append (assoc-ref %outputs "out") "/etc/ssl/certs"))
               (openssl (assoc-ref %build-inputs "openssl"))
               (perl (assoc-ref %build-inputs "perl")))
           (mkdir-p out)
           (copy-file cert (string-append out "/" (strip-store-file-name cert)))

           ;; Create hash symlinks suitable for OpenSSL ('SSL_CERT_DIR' and
           ;; similar.)
           (chdir (string-append %output "/etc/ssl/certs"))
           (invoke (string-append perl "/bin/perl")
                   (string-append openssl "/bin/c_rehash")
                   ".")))))
    (native-inputs
     `(("openssl" ,openssl)
       ("perl" ,perl)))                           ;for 'c_rehash'
    (inputs
     `(("my-root-cert.pem"
        ,(origin
           (method url-fetch)
           (uri "https://example.com/certs/my-root-cert.pem";)
           (sha256
            (base32
             "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee"))))))
    (home-page "https://example.com/certs/my-root-cert.pem";)
    (synopsis "My self-signed root certificate")
    (description "This package provides my self-signed root certificate.")
    (license license:public-domain)))
--8<---------------cut here---------------end--------------->8---

and then you would need to add this package to the 'packages' field of
your OS configuration, and reconfigure your system.

However, it would be good to provide a way to more easily create custom
certificate packages from a set of .pem files, perhaps by changing the
above package definition into a procedure that accepts a list of root
certificates and dynamically creates a certificate package.  If you'd
like to work on this, I'd be glad to discuss it further.

    Regards,
      Mark

[Prev in Thread]

Current Thread

[Next in Thread]

root certificate, Divan Santana, 2018/06/11
- Re: root certificate, Joshua Branson, 2018/06/11
  - Re: root certificate, myglc2, 2018/06/11
    - Re: root certificate, Divan Santana, 2018/06/12
    - Re: root certificate, Tonton, 2018/06/12
  - Re: root certificate, Divan Santana, 2018/06/12
    - Re: root certificate, Chris Marusich, 2018/06/13
- Re: root certificate, Mark H Weaver <=
  - Re: root certificate, Mark H Weaver, 2018/06/13
  - Re: root certificate, Chris Marusich, 2018/06/14
    - Re: root certificate, Mark H Weaver, 2018/06/14

Prev by Date: Re: Hexchat freezing up for anyone else?
Next by Date: Re: root certificate
Previous by thread: Re: root certificate
Next by thread: Re: root certificate
Index(es):
- Date
- Thread