Gentoo Archives: gentoo-user

From: Grant Taylor <gtaylor@×××××××××××××××××××××.net>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] app-misc/ca-certificates
Date: Tue, 01 Jun 2021 21:05:34
Message-Id: 1bcc5096-cc4a-5bd0-a233-7381057c140d@spamtrap.tnetconsulting.net
In Reply to: Re: [gentoo-user] app-misc/ca-certificates by Walter Dnes
1 On 5/29/21 12:26 AM, Walter Dnes wrote:
2 > Looking through them is "interesting". There seem to be a lot of
3 > /etc/ssl/certs/????????.0 files, where "?" is either a random number
4 > or a lower case letter.
5
6 They aren't random at all. They are a fingerprint (hash) of signing (?)
7 certificates. The fingerprint is generated in a deterministic manner.
8
9 The sym-links (or hard links) are a convenient way to associate a hash
10 back to the cert file that it's representing.
11
12 root@host# ln -s /path/to/cert /etc/ssl/certs/$(openssl x509 -noout
13 -hash -in /path/to/cert)
14
15 The hash is what things validating things use. They have no good way to
16 determine what the file name would be. So they compute and look up the
17 hash.
18
19 You could name all the files with hashes. But that would make it quite
20 annoying ~> difficult, impractical, bordering on impossible for a human
21 to maintain. So, instead, the trusted root certificates are stored by a
22 human friendly name and the hashes point to the file via a sym-link.
23
24 > These all seem to be symlinks to /etc/ssl/certs/<Some_Name>.pem.
25
26 Quite likely.
27
28 > Each of those files is in turn a symlink
29 > to/usr/share/ca-certificates/mozilla/<Some_Name>.crt.
30
31 Maybe / probably. Definitely for root certificates that are part of the
32 Mozilla Security Suite. But it's definitely possible to have other root
33 certificates through the same system. E.g. you run your own private /
34 enterprise CA.
35
36 > Any other suspicious regimes in there?
37
38 I'm confident that it depends on where you are in the world.
39
40 Let's keep things apolitical and purely technical.
41
42
43
44 --
45 Grant. . . .
46 unix || die