[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: root certificate
From: |
Mark H Weaver |
Subject: |
Re: root certificate |
Date: |
Thu, 14 Jun 2018 13:49:22 -0400 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) |
Hi Chris,
Chris Marusich <address@hidden> writes:
> Mark H Weaver <address@hidden> writes:
>
>> ;; Create hash symlinks suitable for OpenSSL ('SSL_CERT_DIR' and
>> ;; similar.)
>> (chdir (string-append %output "/etc/ssl/certs"))
>> (invoke (string-append perl "/bin/perl")
>> (string-append openssl "/bin/c_rehash")
>> ".")))))
>
> I didn't know about c_rehash until now. Interesting! In the past, I've
> defined my own certificate packages as described in my own separate
> replies to this thread, and they worked even though I didn't invoke
> c_rehash. Could this simply have been because the software I use
> happens to work even when the symlinks created by c_rehash don't exist?
According to the c_rehash man page, "many programs that use OpenSSL
require directories to be set up like this in order to find
certificates." I'm not sure, but I guess that programs based on GnuTLS
do not need the symlinks.
> It looks like the ca-certificate-bundle profile hook (defined in
> guix/profiles.scm) doesn't currently invoke c_rehash. Should it?
If I understand correctly, as long as each certificate package runs
'c_rehash' individually, then running 'c_rehash' during the profile hook
should have no effect, because all of the certificates will already have
their associated hash symlinks installed.
Regards,
Mark