From Fedora Project Wiki

< Changes

Revision as of 13:57, 9 July 2013 by Stefw (talk | contribs) (Initial page)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Shared Certificate Tools


In Fedora 19 we added the infrastructure for sharing system trusted certificates between the various crypto libraries and implementations. This takes the next step of adding tools to add/remove anchors and modify the blacklist.


Current status

  • Targeted release: Fedora 20
  • Last updated: July 09, 2013
  • Tracker bug: <will be assigned by the Wrangler>

Detailed Description

A tool will be added to the p11-kit-trust package which can be used to add/remove modify a system certificate to be trusted as an anchor. In addition the tool will be

Because not all crypto implementations read their trusted information directly from the dynamic database, the tool will take care of extracting things as appropriate after making a change. This will enable administrators to run a single command to add an anchor (and perform other tasks).

Benefit to Fedora

This is the next incremental step in the Shared System Certificate work. Fedora will become easier to manage for administrators or system builders.


p11-kit has had work done to have the trust module store changes. The initial tool has been written upstream. Remainder of the tool needs completion.

The ca-certificates package will need some minor tweaks to make sure the new tools integrate correctly with it.

Although this feature can potentially affect a large number of packages, the implementation is well bounded. It is limited to a p11-kit (with one or two lines changed in ca-certificates).

  • Proposal owners: stefw, kaie
  • Other developers: N/A (not a System Wide Change)
  • Release engineering: N/A (not a System Wide Change)
  • Policies and guidelines: N/A (not a System Wide Change)

Upgrade/compatibility impact

It is our aim that no upgrade will be needed. We explicitly did not publish the relevant data formats in previous versions in Fedora 19. There should be no need to migrate data, as there has been no data stored by the trust module yet.

ca-certificates package will have some minor tweaks in concert with p11-kit.

How To Test

  • A test day will be prepared for this change.
  • Further information for testing will appear here, with relevant commands to run.

User Experience

  • The administrator's user experience will change. In Fedora 19 they had to place a file in a certain special directory, and then run 'update-ca-trust'. In Fedora 20 they will run a simple command which performs all relevant actions.


N/A (not a System Wide Change)

Contingency Plan

  • We will not change the Fedora 19 behavior. This new functionality is built on top of it.
  • A revert to Fedora 19 is possible as a contingency.
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? N/A (not a System Wide Change)


There will be manual pages and documentation. In addition at this point a blog post will be written to explain the system.

Release Notes

  • Release notes will be provided.