update-ca-trust 1.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445
  1. #!/bin/bash
  2. install -d /{etc,usr/share}/ca-certificates/trust-source/{anchors,blacklist}
  3. # Directories used by update-ca-trust (aka "trust extract-compat")
  4. install -d /etc/{ssl/certs/java,ca-certificates/extracted}
  5. # Compatibility link for OpenSSL using /etc/ssl as CAdir
  6. # Used in preference to the individual links in /etc/ssl/certs
  7. ln -sr "/etc/ca-certificates/extracted/tls-ca-bundle.pem" "/etc/ssl/cert.pem"
  8. # Compatiblity link for legacy bundle
  9. ln -sr "/etc/ca-certificates/extracted/tls-ca-bundle.pem" "/etc/ssl/certs/ca-certificates.crt"
  10. # At this time, while this script is trivial, we ignore any parameters given.
  11. # However, for backwards compatibility reasons, future versions of this script must
  12. # support the syntax "update-ca-trust extract" trigger the generation of output
  13. # files in $DEST.
  14. DEST=/etc/ca-certificates/extracted
  15. extract() {
  16. trust extract --overwrite "$@"
  17. }
  18. # The directory-format extractors remove all files in the target directory, but not directories or files therein
  19. extract --format=pem-directory-hash --filter=ca-anchors --purpose=server-auth $DEST/cadir
  20. extract --comment --format=pem-bundle --filter=ca-anchors --purpose=server-auth $DEST/tls-ca-bundle.pem
  21. extract --comment --format=pem-bundle --filter=ca-anchors --purpose=email $DEST/email-ca-bundle.pem
  22. extract --comment --format=pem-bundle --filter=ca-anchors --purpose=code-signing $DEST/objsign-ca-bundle.pem
  23. extract --comment --format=openssl-bundle --filter=certificates $DEST/ca-bundle.trust.crt
  24. # We don't want to have to remove everything from the certs directory but neither
  25. # do we want to leave stale certs around, so symlink it all from somewhere else
  26. for f in $DEST/cadir/*; do
  27. ln -fsr -t /etc/ssl/certs "$f"
  28. done
  29. # Now find and remove all broken symlinks
  30. find -L /etc/ssl/certs -maxdepth 1 -type l -delete
  31. # Java bundle
  32. extract --format=java-cacerts --filter=ca-anchors --purpose=server-auth /etc/ssl/certs/java/cacerts