Page MenuHomeFreeBSD

certctl: Reimplement in C
ClosedPublic

Authored by des on Oct 20 2023, 8:37 PM.
Tags
None
Referenced Files
F133144783: D42320.id129178.diff
Thu, Oct 23, 9:09 AM
F133144290: D42320.id129218.diff
Thu, Oct 23, 9:02 AM
Unknown Object (File)
Wed, Oct 22, 2:31 PM
Unknown Object (File)
Wed, Oct 22, 1:38 PM
Unknown Object (File)
Fri, Oct 17, 10:16 PM
Unknown Object (File)
Mon, Oct 13, 6:28 AM
Unknown Object (File)
Sun, Oct 12, 7:37 PM
Unknown Object (File)
Sun, Oct 12, 6:37 PM

Details

Summary

Notable changes include:

  • We no longer forget manually untrusted certificates when rehashing.
  • Rehash will now scan the existing directory and progressively replace its contents with those of the new trust store. The trust store as a whole is not replaced atomically, but each file within it is.
  • We no longer attempt to link to the original files, but we don't copy them either. Instead, we write each certificate out in its minimal form.
  • We now generate a trust bundle in addition to the hashed diretory. This also contains only the minimal DER form of each certificate.
  • The C version is approximately two orders of magnitude faster than the sh version, with rehash taking ~100 ms vs ~5-25 s depending on whether ca_root_nss is installed.
  • The DISTBASE concept has been dropped; the same effect can be achieved by adjusting DESTDIR.
  • We now also have rudimentary tests.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 65930
Build 62813: arc lint + arc unit

Event Timeline

des requested review of this revision.Oct 20 2023, 8:37 PM
  • Fix a number of issues with path handling
  • Make rehash save a bundle
  • Implement list and untrusted
  • Improve the manual page somewhat

There are several issues I have a problem with. It should logically behave like https://www.openssl.org/docs/man1.1.1/man1/rehash.html. The only problem with the command is that is does not provide a target directory. See also https://github.com/openssl/openssl/issues/15730

usr.sbin/certctl/certctl.8
108

I would not copy the files around. Approach taken by openssl-rehash(1) should be retained.

112

I am not convinced by this unless this is an option or env var to make it global. Consider that loading hundreds of certs has a different runtime requirement than working with hashes as with the dir. I also don't know what OpenSSL will do when both will be presented. Given that most leaf certs have at most two or three levels OpenSSL will need to read three small files instead of a huge one.

usr.sbin/certctl/certctl.c
77

Parts of the are logically not correct, see https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=274016

263

This does not look right. It does not filter by .pem, .crt, .cer, or .crl where .crl requires special handling with <hash>.r%d instead of just .%d. See OpenSSL's rehash.c. Otherwise OpenSSL will not use those files for revocation. It is also broken now in the current shell script.

628

Those commands are in a comment, this should be as well.

Comments were supposed as change request.

This revision now requires changes to proceed.Oct 23 2023, 1:04 PM
usr.sbin/certctl/certctl.c
87

I wonder why these macros aren't partially used with trusted_paths and untrusted_paths.

Just tried the patch on FreeBSD deblndw013x1v.ad001.siemens.net 13.2-STABLE FreeBSD 13.2-STABLE 8a331a855 GENERIC amd64 and it does not at all for me. I will provision a VM with 15-CURRENT.

Set up a VM:

FreeBSD deblndw013x3v.ad001.siemens.net 15.0-CURRENT FreeBSD 15.0-CURRENT #0 main-n266042-fb7140b1f928: Thu Oct 19 03:02:14 UTC 2023     root@releng3.nyi.freebsd.org:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64

applied your patch and installed the new executable:

# ldd /usr/sbin/certctl
/usr/sbin/certctl:
        libcrypto.so.30 => /lib/libcrypto.so.30 (0x3c40a81b9000)
        libc.so.7 => /lib/libc.so.7 (0x3c40a9ba9000)
        libthr.so.3 => /lib/libthr.so.3 (0x3c40a8f53000)
        [vdso] (0x3c40a79bc000)

Let's see:

# tree /etc/ssl/
/etc/ssl/
└── openssl.cnf

1 directory, 1 file
# certctl -v rehash
localbase:      /usr/local
destdir:
distbase:
unprivileged:   false
verbose:        true
found /usr/share/certs/untrusted/GeoTrust_Primary_Certification_Authority_-_G3.pem
e2799e36: GeoTrust Primary Certification Authority - G3
found /usr/share/certs/untrusted/thawte_Primary_Root_CA_-_G3.pem
ba89ed3b: thawte Primary Root CA - G3
found /usr/share/certs/untrusted/EC-ACC.pem
349f2832: EC-ACC
found /usr/share/certs/untrusted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem
1320b215: Symantec Class 2 Public Primary Certification Authority - G6
found /usr/share/certs/untrusted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem
dc45b0bd: VeriSign Class 2 Public Primary Certification Authority - G3
found /usr/share/certs/untrusted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem
b204d74a: VeriSign Class 3 Public Primary Certification Authority - G5
found /usr/share/certs/untrusted/Staat_der_Nederlanden_Root_CA_-_G2.pem
5c44d531: Staat der Nederlanden Root CA - G2
found /usr/share/certs/untrusted/LuxTrust_Global_Root_2.pem
def36a68: LuxTrust Global Root 2
found /usr/share/certs/untrusted/GeoTrust_Primary_Certification_Authority.pem
480720ec: GeoTrust Primary Certification Authority
found /usr/share/certs/untrusted/Cybertrust_Global_Root.pem
76cb8f92: Cybertrust Global Root
found /usr/share/certs/untrusted/AddTrust_External_Root.pem
157753a5: AddTrust External CA Root
found /usr/share/certs/untrusted/Camerfirma_Global_Chambersign_Root.pem
cb59f961: Global Chambersign Root
found /usr/share/certs/untrusted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem
62744ee1: Symantec Class 1 Public Primary Certification Authority - G4
found /usr/share/certs/untrusted/thawte_Primary_Root_CA_-_G2.pem
c089bbbd: thawte Primary Root CA - G2
found /usr/share/certs/untrusted/Network_Solutions_Certificate_Authority.pem
4304c5e5: Network Solutions Certificate Authority
found /usr/share/certs/untrusted/GeoTrust_Primary_Certification_Authority_-_G2.pem
116bf586: GeoTrust Primary Certification Authority - G2
found /usr/share/certs/untrusted/D-TRUST_Root_CA_3_2013.pem
0b7c536a: D-TRUST Root CA 3 2013
found /usr/share/certs/untrusted/DST_Root_CA_X3.pem
2e5ac55d: DST Root CA X3
found /usr/share/certs/untrusted/TrustCor_RootCert_CA-1.pem
5d3033c5: TrustCor RootCert CA-1
found /usr/share/certs/untrusted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem
c0ff1f52: VeriSign Class 3 Public Primary Certification Authority - G3
found /usr/share/certs/untrusted/E-Tugra_Certification_Authority.pem
5273a94c: E-Tugra Certification Authority
found /usr/share/certs/untrusted/Staat_der_Nederlanden_Root_CA_-_G3.pem
5a4d6896: Staat der Nederlanden Root CA - G3
found /usr/share/certs/untrusted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem
7d0b38bd: VeriSign Class 3 Public Primary Certification Authority - G4
found /usr/share/certs/untrusted/QuoVadis_Root_CA.pem
080911ac: QuoVadis Root Certification Authority
found /usr/share/certs/untrusted/Hellenic_Academic_and_Research_Institutions_RootCA_2011.pem
1636090b: Hellenic Academic and Research Institutions RootCA 2011
found /usr/share/certs/untrusted/Trustis_FPS_Root_CA.pem
d853d49e: Trustis FPS Root CA
found /usr/share/certs/untrusted/TrustCor_RootCert_CA-2.pem
3e44d2f7: TrustCor RootCert CA-2
found /usr/share/certs/untrusted/GeoTrust_Universal_CA_2.pem
8867006a: GeoTrust Universal CA 2
found /usr/share/certs/untrusted/TrustCor_ECA-1.pem
7aaf71c0: TrustCor ECA-1
found /usr/share/certs/untrusted/AddTrust_Low-Value_Services_Root.pem
861a399d: AddTrust Class 1 CA Root
found /usr/share/certs/untrusted/Global_Chambersign_Root_-_2008.pem
0c4c9b6c: Global Chambersign Root - 2008
found /usr/share/certs/untrusted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem
4d4ba017: Symantec Class 2 Public Primary Certification Authority - G4
found /usr/share/certs/untrusted/SwissSign_Platinum_CA_-_G2.pem
a8dee976: SwissSign Platinum CA - G2
found /usr/share/certs/untrusted/Staat_der_Nederlanden_EV_Root_CA.pem
03179a64: Staat der Nederlanden EV Root CA
found /usr/share/certs/untrusted/E-Tugra_Global_Root_CA_ECC_v3.pem
5a7722fb: E-Tugra Global Root CA ECC v3
found /usr/share/certs/untrusted/GeoTrust_Universal_CA.pem
ad088e1d: GeoTrust Universal CA
found /usr/share/certs/untrusted/thawte_Primary_Root_CA.pem
2e4eed3c: thawte Primary Root CA
found /usr/share/certs/untrusted/Chambers_of_Commerce_Root_-_2008.pem
c47d9980: Chambers of Commerce Root - 2008
found /usr/share/certs/untrusted/EE_Certification_Centre_Root_CA.pem
128805a3: pki@sk.ee
found /usr/share/certs/untrusted/GeoTrust_Global_CA.pem
2c543cd1: GeoTrust Global CA
found /usr/share/certs/untrusted/Certum_Root_CA.pem
442adcac: Certum CA
found /usr/share/certs/untrusted/Camerfirma_Chambers_of_Commerce_Root.pem
f90208f7: Chambers of Commerce Root
found /usr/share/certs/untrusted/Hongkong_Post_Root_CA_1.pem
3e45d192: Hongkong Post Root CA 1
found /usr/share/certs/untrusted/Taiwan_GRCA.pem
6410666e: Government Root Certification Authority
found /usr/share/certs/untrusted/VeriSign_Universal_Root_Certification_Authority.pem
c01cdfa2: VeriSign Universal Root Certification Authority
found /usr/share/certs/untrusted/OISTE_WISeKey_Global_Root_GA_CA.pem
b1b8a7f3: OISTE WISeKey Global Root GA CA
found /usr/share/certs/untrusted/E-Tugra_Global_Root_CA_RSA_v3.pem
66445960: E-Tugra Global Root CA RSA v3
found /usr/share/certs/untrusted/GlobalSign_Root_CA_-_R2.pem
4a6481c9: GlobalSign
found /usr/share/certs/untrusted/Sonera_Class_2_Root_CA.pem
9c2e7d30: Sonera Class2 CA
found /usr/share/certs/untrusted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem
26312675: Symantec Class 1 Public Primary Certification Authority - G6
found /usr/share/certs/untrusted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem
ee1365c0: VeriSign Class 1 Public Primary Certification Authority - G3
51 untrusted certificates found
found /usr/share/certs/trusted/Microsoft_ECC_Root_Certificate_Authority_2017.pem
8d89cda1: Microsoft ECC Root Certificate Authority 2017
found /usr/share/certs/trusted/QuoVadis_Root_CA_1_G3.pem
749e9e03: QuoVadis Root CA 1 G3
found /usr/share/certs/trusted/Go_Daddy_Class_2_CA.pem
f081611a: Go Daddy Class 2 Certification Authority
found /usr/share/certs/trusted/AC_RAIZ_FNMT-RCM.pem
cd8c0d63: AC RAIZ FNMT-RCM
found /usr/share/certs/trusted/DigiCert_Assured_ID_Root_G2.pem
9d04f354: DigiCert Assured ID Root G2
found /usr/share/certs/trusted/OISTE_WISeKey_Global_Root_GC_CA.pem
773e07ad: OISTE WISeKey Global Root GC CA
found /usr/share/certs/trusted/Trustwave_Global_ECC_P256_Certification_Authority.pem
9b5697b0: Trustwave Global ECC P256 Certification Authority
found /usr/share/certs/trusted/Security_Communication_RootCA2.pem
cd58d51e: Security Communication RootCA2
found /usr/share/certs/trusted/BJCA_Global_Root_CA2.pem
3e359ba6: BJCA Global Root CA2
found /usr/share/certs/trusted/HARICA_TLS_RSA_Root_CA_2021.pem
9f727ac7: HARICA TLS RSA Root CA 2021
found /usr/share/certs/trusted/Baltimore_CyberTrust_Root.pem
653b494a: Baltimore CyberTrust Root
found /usr/share/certs/trusted/Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.pem
7719f463: Hellenic Academic and Research Institutions ECC RootCA 2015
found /usr/share/certs/trusted/Security_Communication_ECC_RootCA1.pem
5860aaa6: Security Communication ECC RootCA1
found /usr/share/certs/trusted/GlobalSign_ECC_Root_CA_-_R4.pem
b0e59380: GlobalSign
found /usr/share/certs/trusted/NetLock_Arany__Class_Gold__F__tan__s__tv__ny.pem
988a38cb: NetLock Arany (Class Gold) F\xC5\x91tan\xC3\xBAs\xC3\xADtv\xC3\xA1ny
found /usr/share/certs/trusted/Amazon_Root_CA_3.pem
8cb5ee0f: Amazon Root CA 3
found /usr/share/certs/trusted/GlobalSign_Root_E46.pem
feffd413: GlobalSign Root E46
found /usr/share/certs/trusted/TunTrust_Root_CA.pem
fd64f3fc: TunTrust Root CA
found /usr/share/certs/trusted/Starfield_Root_Certificate_Authority_-_G2.pem
4bfab552: Starfield Root Certificate Authority - G2
found /usr/share/certs/trusted/Amazon_Root_CA_4.pem
de6d66f3: Amazon Root CA 4
found /usr/share/certs/trusted/QuoVadis_Root_CA_3_G3.pem
e18bfb83: QuoVadis Root CA 3 G3
found /usr/share/certs/trusted/CA_Disig_Root_R2.pem
2ae6433e: CA Disig Root R2
found /usr/share/certs/trusted/QuoVadis_Root_CA_3.pem
76faf6c0: QuoVadis Root CA 3
found /usr/share/certs/trusted/Telia_Root_CA_v2.pem
8f103249: Telia Root CA v2
found /usr/share/certs/trusted/D-TRUST_Root_Class_3_CA_2_EV_2009.pem
d4dae3dd: D-TRUST Root Class 3 CA 2 EV 2009
found /usr/share/certs/trusted/SecureSign_RootCA11.pem
18856ac4: SecureSign RootCA11
found /usr/share/certs/trusted/Buypass_Class_3_Root_CA.pem
e8de2f56: Buypass Class 3 Root CA
found /usr/share/certs/trusted/Trustwave_Global_ECC_P384_Certification_Authority.pem
d887a5bb: Trustwave Global ECC P384 Certification Authority
found /usr/share/certs/trusted/Hellenic_Academic_and_Research_Institutions_RootCA_2015.pem
32888f65: Hellenic Academic and Research Institutions RootCA 2015
found /usr/share/certs/trusted/Entrust_Root_Certification_Authority_-_G4.pem
5e98733a: Entrust Root Certification Authority - G4
found /usr/share/certs/trusted/Certum_Trusted_Network_CA_2.pem
40193066: Certum Trusted Network CA 2
found /usr/share/certs/trusted/Certainly_Root_E1.pem
8508e720: Certainly Root E1
found /usr/share/certs/trusted/Certigna_Root_CA.pem
f51bb24c: Certigna Root CA
found /usr/share/certs/trusted/certSIGN_ROOT_CA.pem
8d86cdd1: certSIGN ROOT CA
found /usr/share/certs/trusted/AffirmTrust_Premium_ECC.pem
9c8dfbd4: AffirmTrust Premium ECC
found /usr/share/certs/trusted/TWCA_Root_Certification_Authority.pem
b7a5b843: TWCA Root Certification Authority
found /usr/share/certs/trusted/GTS_Root_R1.pem
1001acf7: GTS Root R1
found /usr/share/certs/trusted/Comodo_AAA_Services_root.pem
ee64a828: AAA Certificate Services
found /usr/share/certs/trusted/GlobalSign_ECC_Root_CA_-_R5.pem
1d3472b9: GlobalSign
found /usr/share/certs/trusted/USERTrust_ECC_Certification_Authority.pem
f30dd6ad: USERTrust ECC Certification Authority
found /usr/share/certs/trusted/XRamp_Global_CA_Root.pem
706f604c: XRamp Global Certification Authority
found /usr/share/certs/trusted/Microsoft_RSA_Root_Certificate_Authority_2017.pem
bf53fb88: Microsoft RSA Root Certificate Authority 2017
found /usr/share/certs/trusted/AffirmTrust_Premium.pem
b727005e: AffirmTrust Premium
found /usr/share/certs/trusted/Security_Communication_RootCA3.pem
08063a00: Security Communication RootCA3
found /usr/share/certs/trusted/GlobalSign_Root_R46.pem
002c0b4f: GlobalSign Root R46
found /usr/share/certs/trusted/SSL_com_Root_Certification_Authority_ECC.pem
0bf05006: SSL.com Root Certification Authority ECC
found /usr/share/certs/trusted/AffirmTrust_Commercial.pem
2b349938: AffirmTrust Commercial
found /usr/share/certs/trusted/Certigna.pem
e113c810: Certigna
found /usr/share/certs/trusted/NAVER_Global_Root_Certification_Authority.pem
3fb36b73: NAVER Global Root Certification Authority
found /usr/share/certs/trusted/DigiCert_Assured_ID_Root_G3.pem
7f3d5d1d: DigiCert Assured ID Root G3
found /usr/share/certs/trusted/GlobalSign_Root_CA_-_R3.pem
062cdee6: GlobalSign
found /usr/share/certs/trusted/SSL_com_TLS_ECC_Root_CA_2022.pem
865fbdf9: SSL.com TLS ECC Root CA 2022
found /usr/share/certs/trusted/SwissSign_Gold_CA_-_G2.pem
4f316efb: SwissSign Gold CA - G2
found /usr/share/certs/trusted/HiPKI_Root_CA_-_G1.pem
90c5a3c8: HiPKI Root CA - G1
found /usr/share/certs/trusted/COMODO_RSA_Certification_Authority.pem
d6325660: COMODO RSA Certification Authority
found /usr/share/certs/trusted/Actalis_Authentication_Root_CA.pem
930ac5d2: Actalis Authentication Root CA
found /usr/share/certs/trusted/UCA_Extended_Validation_Root.pem
0f5dc4f3: UCA Extended Validation Root
found /usr/share/certs/trusted/Izenpe_com.pem
cc450945: Izenpe.com
found /usr/share/certs/trusted/e-Szigno_Root_CA_2017.pem
e868b802: e-Szigno Root CA 2017
found /usr/share/certs/trusted/Entrust_Root_Certification_Authority_-_G2.pem
02265526: Entrust Root Certification Authority - G2
found /usr/share/certs/trusted/emSign_ECC_Root_CA_-_C3.pem
4b718d9b: emSign ECC Root CA - C3
found /usr/share/certs/trusted/ISRG_Root_X2.pem
0b9bc432: ISRG Root X2
found /usr/share/certs/trusted/DigiCert_Global_Root_CA.pem
3513523f: DigiCert Global Root CA
found /usr/share/certs/trusted/SSL_com_EV_Root_Certification_Authority_RSA_R2.pem
06dc52d5: SSL.com EV Root Certification Authority RSA R2
found /usr/share/certs/trusted/QuoVadis_Root_CA_2.pem
d7e8dc79: QuoVadis Root CA 2
found /usr/share/certs/trusted/SSL_com_EV_Root_Certification_Authority_ECC.pem
f0c70a8d: SSL.com EV Root Certification Authority ECC
found /usr/share/certs/trusted/emSign_ECC_Root_CA_-_G3.pem
14bc7599: emSign ECC Root CA - G3
found /usr/share/certs/trusted/IdenTrust_Public_Sector_Root_CA_1.pem
1e08bfd1: IdenTrust Public Sector Root CA 1
found /usr/share/certs/trusted/SecureTrust_CA.pem
f39fc864: SecureTrust CA
found /usr/share/certs/trusted/D-TRUST_BR_Root_CA_1_2020.pem
9ef4a08a: D-TRUST BR Root CA 1 2020
found /usr/share/certs/trusted/Atos_TrustedRoot_Root_CA_RSA_TLS_2021.pem
9b46e03d: DE
found /usr/share/certs/trusted/Certum_EC-384_CA.pem
9482e63a: Certum EC-384 CA
found /usr/share/certs/trusted/Amazon_Root_CA_2.pem
6d41d539: Amazon Root CA 2
found /usr/share/certs/trusted/GTS_Root_R4.pem
a3418fda: GTS Root R4
found /usr/share/certs/trusted/Starfield_Services_Root_Certificate_Authority_-_G2.pem
09789157: Starfield Services Root Certificate Authority - G2
found /usr/share/certs/trusted/T-TeleSec_GlobalRoot_Class_3.pem
5443e9e3: T-TeleSec GlobalRoot Class 3
found /usr/share/certs/trusted/GTS_Root_R3.pem
0a775a30: GTS Root R3
found /usr/share/certs/trusted/ISRG_Root_X1.pem
4042bcee: ISRG Root X1
found /usr/share/certs/trusted/TWCA_Global_Root_CA.pem
5f15c80c: TWCA Global Root CA
found /usr/share/certs/trusted/IdenTrust_Commercial_Root_CA_1.pem
ef954a4e: IdenTrust Commercial Root CA 1
found /usr/share/certs/trusted/Hongkong_Post_Root_CA_3.pem
68dd7389: Hongkong Post Root CA 3
found /usr/share/certs/trusted/HARICA_TLS_ECC_Root_CA_2021.pem
ecccd8db: HARICA TLS ECC Root CA 2021
found /usr/share/certs/trusted/vTrus_ECC_Root_CA.pem
ed858448: vTrus ECC Root CA
found /usr/share/certs/trusted/TeliaSonera_Root_CA_v1.pem
5cd81ad7: TeliaSonera Root CA v1
found /usr/share/certs/trusted/Certum_Trusted_Root_CA.pem
e35234b1: Certum Trusted Root CA
found /usr/share/certs/trusted/CFCA_EV_ROOT.pem
0b1b94ef: CFCA EV ROOT
found /usr/share/certs/trusted/SZAFIR_ROOT_CA2.pem
fe8a2cd8: SZAFIR ROOT CA2
found /usr/share/certs/trusted/DigiCert_Assured_ID_Root_CA.pem
b1159c4c: DigiCert Assured ID Root CA
found /usr/share/certs/trusted/COMODO_ECC_Certification_Authority.pem
eed8c118: COMODO ECC Certification Authority
found /usr/share/certs/trusted/Amazon_Root_CA_1.pem
ce5e74ef: Amazon Root CA 1
found /usr/share/certs/trusted/Entrust_net_Premium_2048_Secure_Server_CA.pem
aee5f10d: Entrust.net Certification Authority (2048)
found /usr/share/certs/trusted/DigiCert_High_Assurance_EV_Root_CA.pem
244b5494: DigiCert High Assurance EV Root CA
found /usr/share/certs/trusted/emSign_Root_CA_-_C1.pem
406c9bb1: emSign Root CA - C1
found /usr/share/certs/trusted/AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.pem
b81b93f0: AC RAIZ FNMT-RCM SERVIDORES SEGUROS
found /usr/share/certs/trusted/ACCVRAIZ1.pem
a94d09e5: ES
found /usr/share/certs/trusted/Starfield_Class_2_CA.pem
f387163d: Starfield Class 2 Certification Authority
found /usr/share/certs/trusted/Certum_Trusted_Network_CA.pem
48bec511: Certum Trusted Network CA
found /usr/share/certs/trusted/emSign_Root_CA_-_G1.pem
2923b3f9: emSign Root CA - G1
found /usr/share/certs/trusted/USERTrust_RSA_Certification_Authority.pem
fc5a8f99: USERTrust RSA Certification Authority
found /usr/share/certs/trusted/Entrust_Root_Certification_Authority.pem
6b99d060: Entrust Root Certification Authority
found /usr/share/certs/trusted/Sectigo_Public_Server_Authentication_Root_R46.pem
9046744a: Sectigo Public Server Authentication Root R46
found /usr/share/certs/trusted/SwissSign_Silver_CA_-_G2.pem
57bcb2da: SwissSign Silver CA - G2
found /usr/share/certs/trusted/Atos_TrustedRoot_2011.pem
e36a6752: DE
found /usr/share/certs/trusted/DigiCert_Global_Root_G3.pem
dd8e9d41: DigiCert Global Root G3
found /usr/share/certs/trusted/GDCA_TrustAUTH_R5_ROOT.pem
0f6fa695: GDCA TrustAUTH R5 ROOT
found /usr/share/certs/trusted/AffirmTrust_Networking.pem
93bc0acc: AffirmTrust Networking
found /usr/share/certs/trusted/Security_Communication_Root_CA.pem
f3377b1b: Security Communication RootCA1
found /usr/share/certs/trusted/vTrus_Root_CA.pem
7a3adc42: vTrus Root CA
found /usr/share/certs/trusted/Microsec_e-Szigno_Root_CA_2009.pem
8160b96c: info@e-szigno.hu
found /usr/share/certs/trusted/Sectigo_Public_Server_Authentication_Root_E46.pem
da0cfd1d: Sectigo Public Server Authentication Root E46
found /usr/share/certs/trusted/Entrust_Root_Certification_Authority_-_EC1.pem
106f3e4d: Entrust Root Certification Authority - EC1
found /usr/share/certs/trusted/SSL_com_Root_Certification_Authority_RSA.pem
6fa5da56: SSL.com Root Certification Authority RSA
found /usr/share/certs/trusted/OISTE_WISeKey_Global_Root_GB_CA.pem
e73d606e: OISTE WISeKey Global Root GB CA
found /usr/share/certs/trusted/COMODO_Certification_Authority.pem
40547a79: COMODO Certification Authority
found /usr/share/certs/trusted/GTS_Root_R2.pem
626dceaf: GTS Root R2
found /usr/share/certs/trusted/SSL_com_TLS_RSA_Root_CA_2022.pem
a89d74c2: SSL.com TLS RSA Root CA 2022
found /usr/share/certs/trusted/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem
3bde41ac: Autoridad de Certificacion Firmaprofesional CIF A62634068
found /usr/share/certs/trusted/Certainly_Root_R1.pem
7a780d93: Certainly Root R1
found /usr/share/certs/trusted/T-TeleSec_GlobalRoot_Class_2.pem
1e09d511: T-TeleSec GlobalRoot Class 2
found /usr/share/certs/trusted/Atos_TrustedRoot_Root_CA_ECC_TLS_2021.pem
fb717492: DE
found /usr/share/certs/trusted/Secure_Global_CA.pem
b66938e9: Secure Global CA
found /usr/share/certs/trusted/DigiCert_Global_Root_G2.pem
607986c7: DigiCert Global Root G2
found /usr/share/certs/trusted/ANF_Secure_Server_Root_CA.pem
b433981b: ANF Secure Server Root CA
found /usr/share/certs/trusted/DigiCert_TLS_RSA4096_Root_G5.pem
d52c538d: DigiCert TLS RSA4096 Root G5
found /usr/share/certs/trusted/DigiCert_TLS_ECC_P384_Root_G5.pem
9846683b: DigiCert TLS ECC P384 Root G5
found /usr/share/certs/trusted/Go_Daddy_Root_Certificate_Authority_-_G2.pem
cbf06781: Go Daddy Root Certificate Authority - G2
found /usr/share/certs/trusted/GlobalSign_Root_CA_-_R6.pem
dc4d6a89: GlobalSign
found /usr/share/certs/trusted/DigiCert_Trusted_Root_G4.pem
75d1b2ed: DigiCert Trusted Root G4
found /usr/share/certs/trusted/BJCA_Global_Root_CA1.pem
0179095f: BJCA Global Root CA1
found /usr/share/certs/trusted/GlobalSign_Root_CA.pem
5ad8a5d6: GlobalSign Root CA
found /usr/share/certs/trusted/Buypass_Class_2_Root_CA.pem
54657681: Buypass Class 2 Root CA
found /usr/share/certs/trusted/TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.pem
ff34af3f: TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1
found /usr/share/certs/trusted/UCA_Global_G2_Root.pem
c01eb047: UCA Global G2 Root
found /usr/share/certs/trusted/D-TRUST_EV_Root_CA_1_2020.pem
5931b5bc: D-TRUST EV Root CA 1 2020
found /usr/share/certs/trusted/GLOBALTRUST_2020.pem
fa5da96b: GLOBALTRUST 2020
found /usr/share/certs/trusted/Trustwave_Global_Certification_Authority.pem
f249de83: Trustwave Global Certification Authority
found /usr/share/certs/trusted/ePKI_Root_Certification_Authority.pem
ca6e4ad9: ePKI Root Certification Authority
found /usr/share/certs/trusted/certSIGN_Root_CA_G2.pem
5f618aec: certSIGN ROOT CA G2
found /usr/share/certs/trusted/QuoVadis_Root_CA_2_G3.pem
064e0aa9: QuoVadis Root CA 2 G3
found /usr/share/certs/trusted/D-TRUST_Root_Class_3_CA_2_2009.pem
c28a8a30: D-TRUST Root Class 3 CA 2 2009
found /usr/local/share/certs/siemens-pki-cert-09.crt
18bd5750: Siemens Issuing CA EE Network Smartcard Auth 2021
found /usr/local/share/certs/siemens-pki-cert-07.crt
4158715d: Siemens Issuing CA EE Enc 2023
found /usr/local/share/certs/siemens-onead-cert-13.crt
8af2d467: Siemens OneAD Root CA
found /usr/local/share/certs/siemens-pki-cert-11.crt
3e1ec334: Siemens Issuing CA Intranet Code Signing 2020
found /usr/local/share/certs/siemens-onead-cert-02.crt
bc2924b7: Siemens Issuing CA Class OneAD 01
found /usr/local/share/certs/siemens-onead-cert-05.crt
0e436b80: Siemens Issuing CA Class OneAD 04
found /usr/local/share/certs/siemens-pki-cert-16.crt
3afae52b: Siemens Issuing CA Medium Strength Authentication 2021
found /usr/local/share/certs/siemens-pki-cert-18.crt
d9d79a66: Siemens Root CA V3.0 2016
found /usr/local/share/certs/quovadis-cert-7.crt
35e514f6: QuoVadis Global SSL ICA G3
found /usr/local/share/certs/siemens-pki-cert-01.crt
1a6b61c8: Siemens Intermediate CA 2021
found /usr/local/share/certs/digicert-cert-1.crt
9f4c149e: DigiCert Global G2 TLS RSA SHA256 2020 CA1
found /usr/local/share/certs/siemens-onead-cert-12.crt
0e91b229: Siemens Issuing CA Class OneAD 14
found /usr/local/share/certs/siemens-pki-cert-06.crt
96f028d4: Siemens Issuing CA EE Enc 2021
found /usr/local/share/certs/siemens-pki-cert-08.crt
81841955: Siemens Issuing CA EE Network Smartcard Auth 2020
found /usr/local/share/certs/quovadis-cert-6.crt
c6b602e9: QuoVadis Enterprise Trust CA 3 G4
found /usr/local/share/certs/quovadis-cert-1.crt
780389f9: QuoVadis Enterprise Trust CA 1 G3
found /usr/local/share/certs/siemens-onead-cert-04.crt
3210d285: Siemens Issuing CA Class OneAD 03
found /usr/local/share/certs/siemens-pki-cert-17.crt
e8599211: Siemens Issuing CA Medium Strength Authentication 2023
found /usr/local/share/certs/siemens-pki-cert-10.crt
36971e57: Siemens Issuing CA EE Network Smartcard Auth 2023
found /usr/local/share/certs/siemens-onead-cert-03.crt
9245e478: Siemens Issuing CA Class OneAD 02
found /usr/local/share/certs/quovadis-cert-2.crt
018eb42d: QuoVadis Enterprise Trust CA 1 G4
found /usr/local/share/certs/quovadis-cert-5.crt
b5d79467: QuoVadis Enterprise Trust CA 3 G3
found /usr/local/share/certs/siemens-onead-cert-09.crt
31e09dd6: Siemens Issuing CA Class OneAD 11
found /usr/local/share/certs/siemens-pki-cert-13.crt
940ae196: Siemens Issuing CA Intranet Server 2022
found /usr/local/share/certs/siemens-onead-cert-07.crt
7b1c186e: Siemens Issuing CA Class OneAD 06
found /usr/local/share/certs/siemens-pki-cert-14.crt
0c6840e5: Siemens Issuing CA MSA Impersonalized Entities 2023
found /usr/local/share/certs/siemens-pki-cert-05.crt
8aac0ad6: Siemens Issuing CA EE Enc 2020
found /usr/local/share/certs/siemens-pki-cert-02.crt
55683be0: Siemens Issuing CA EE Auth 2020
found /usr/local/share/certs/siemens-onead-cert-11.crt
1c683ff3: Siemens Issuing CA Class OneAD 13
found /usr/local/share/certs/siemens-onead-cert-06.crt
17c10339: Siemens Issuing CA Class OneAD 05
found /usr/local/share/certs/siemens-pki-cert-15.crt
be133774: Siemens Issuing CA Medium Strength Authentication 2020
found /usr/local/share/certs/siemens-pki-cert-12.crt
5eeeed34: Siemens Issuing CA Intranet Code Signing 2023
found /usr/local/share/certs/siemens-onead-cert-01.crt
bd411d1f: Siemens Issuing CA Class OneAD 00
found /usr/local/share/certs/siemens-onead-cert-08.crt
f103366b: Siemens Issuing CA Class OneAD 07
found /usr/local/share/certs/quovadis-cert-4.crt
4912691d: QuoVadis Enterprise Trust CA 2 G4
found /usr/local/share/certs/quovadis-cert-3.crt
4ca5f54b: QuoVadis Enterprise Trust CA 2 G3
found /usr/local/share/certs/siemens-pki-cert-03.crt
2c3a2e0f: Siemens Issuing CA EE Auth 2021
found /usr/local/share/certs/siemens-onead-cert-10.crt
c2cf79c6: Siemens Issuing CA Class OneAD 12
found /usr/local/share/certs/siemens-pki-cert-04.crt
6b9a4307: Siemens Issuing CA EE Auth 2023
179 trusted certificates found
removing /etc/ssl.new
creating /etc/ssl.new/untrusted
writing /etc/ssl.new/untrusted/157753a5.0
writing /etc/ssl.new/untrusted/e2799e36.0
writing /etc/ssl.new/untrusted/c0ff1f52.0
writing /etc/ssl.new/untrusted/def36a68.0
writing /etc/ssl.new/untrusted/ee1365c0.0
writing /etc/ssl.new/untrusted/7d0b38bd.0
writing /etc/ssl.new/untrusted/349f2832.0
writing /etc/ssl.new/untrusted/480720ec.0
writing /etc/ssl.new/untrusted/cb59f961.0
writing /etc/ssl.new/untrusted/c01cdfa2.0
writing /etc/ssl.new/untrusted/8867006a.0
writing /etc/ssl.new/untrusted/9c2e7d30.0
writing /etc/ssl.new/untrusted/d853d49e.0
writing /etc/ssl.new/untrusted/1320b215.0
writing /etc/ssl.new/untrusted/0c4c9b6c.0
writing /etc/ssl.new/untrusted/b204d74a.0
writing /etc/ssl.new/untrusted/26312675.0
writing /etc/ssl.new/untrusted/5273a94c.0
writing /etc/ssl.new/untrusted/a8dee976.0
writing /etc/ssl.new/untrusted/7aaf71c0.0
writing /etc/ssl.new/untrusted/b1b8a7f3.0
writing /etc/ssl.new/untrusted/5c44d531.0
writing /etc/ssl.new/untrusted/76cb8f92.0
writing /etc/ssl.new/untrusted/dc45b0bd.0
writing /etc/ssl.new/untrusted/442adcac.0
writing /etc/ssl.new/untrusted/4d4ba017.0
writing /etc/ssl.new/untrusted/0b7c536a.0
writing /etc/ssl.new/untrusted/f90208f7.0
writing /etc/ssl.new/untrusted/4304c5e5.0
writing /etc/ssl.new/untrusted/4a6481c9.0
writing /etc/ssl.new/untrusted/03179a64.0
writing /etc/ssl.new/untrusted/c47d9980.0
writing /etc/ssl.new/untrusted/62744ee1.0
writing /etc/ssl.new/untrusted/5a7722fb.0
writing /etc/ssl.new/untrusted/116bf586.0
writing /etc/ssl.new/untrusted/2e4eed3c.0
writing /etc/ssl.new/untrusted/c089bbbd.0
writing /etc/ssl.new/untrusted/3e44d2f7.0
writing /etc/ssl.new/untrusted/128805a3.0
writing /etc/ssl.new/untrusted/861a399d.0
writing /etc/ssl.new/untrusted/3e45d192.0
writing /etc/ssl.new/untrusted/5a4d6896.0
writing /etc/ssl.new/untrusted/2e5ac55d.0
writing /etc/ssl.new/untrusted/2c543cd1.0
writing /etc/ssl.new/untrusted/080911ac.0
writing /etc/ssl.new/untrusted/ad088e1d.0
writing /etc/ssl.new/untrusted/66445960.0
writing /etc/ssl.new/untrusted/ba89ed3b.0
writing /etc/ssl.new/untrusted/6410666e.0
writing /etc/ssl.new/untrusted/1636090b.0
writing /etc/ssl.new/untrusted/5d3033c5.0
writing /etc/ssl.new/certs/32888f65.0
writing /etc/ssl.new/certs/9f727ac7.0
writing /etc/ssl.new/certs/b1159c4c.0
writing /etc/ssl.new/certs/988a38cb.0
writing /etc/ssl.new/certs/48bec511.0
writing /etc/ssl.new/certs/064e0aa9.0
writing /etc/ssl.new/certs/2c3a2e0f.0
writing /etc/ssl.new/certs/8cb5ee0f.0
writing /etc/ssl.new/certs/0f6fa695.0
writing /etc/ssl.new/certs/e73d606e.0
writing /etc/ssl.new/certs/0e91b229.0
writing /etc/ssl.new/certs/5e98733a.0
writing /etc/ssl.new/certs/1c683ff3.0
writing /etc/ssl.new/certs/3afae52b.0
writing /etc/ssl.new/certs/9846683b.0
writing /etc/ssl.new/certs/9b46e03d.0
writing /etc/ssl.new/certs/f103366b.0
writing /etc/ssl.new/certs/9f4c149e.0
writing /etc/ssl.new/certs/749e9e03.0
writing /etc/ssl.new/certs/1d3472b9.0
writing /etc/ssl.new/certs/76faf6c0.0
writing /etc/ssl.new/certs/9ef4a08a.0
writing /etc/ssl.new/certs/106f3e4d.0
writing /etc/ssl.new/certs/31e09dd6.0
writing /etc/ssl.new/certs/5f618aec.0
writing /etc/ssl.new/certs/f081611a.0
writing /etc/ssl.new/certs/c01eb047.0
writing /etc/ssl.new/certs/93bc0acc.0
writing /etc/ssl.new/certs/fc5a8f99.0
writing /etc/ssl.new/certs/e36a6752.0
writing /etc/ssl.new/certs/f51bb24c.0
writing /etc/ssl.new/certs/0c6840e5.0
writing /etc/ssl.new/certs/cc450945.0
writing /etc/ssl.new/certs/f249de83.0
writing /etc/ssl.new/certs/14bc7599.0
writing /etc/ssl.new/certs/ff34af3f.0
writing /etc/ssl.new/certs/f3377b1b.0
writing /etc/ssl.new/certs/0e436b80.0
writing /etc/ssl.new/certs/feffd413.0
writing /etc/ssl.new/certs/81841955.0
writing /etc/ssl.new/certs/3210d285.0
writing /etc/ssl.new/certs/b66938e9.0
writing /etc/ssl.new/certs/18856ac4.0
writing /etc/ssl.new/certs/18bd5750.0
writing /etc/ssl.new/certs/4158715d.0
writing /etc/ssl.new/certs/018eb42d.0
writing /etc/ssl.new/certs/5cd81ad7.0
writing /etc/ssl.new/certs/cbf06781.0
writing /etc/ssl.new/certs/e18bfb83.0
writing /etc/ssl.new/certs/54657681.0
writing /etc/ssl.new/certs/f0c70a8d.0
writing /etc/ssl.new/certs/aee5f10d.0
writing /etc/ssl.new/certs/002c0b4f.0
writing /etc/ssl.new/certs/55683be0.0
writing /etc/ssl.new/certs/5443e9e3.0
writing /etc/ssl.new/certs/17c10339.0
writing /etc/ssl.new/certs/bd411d1f.0
writing /etc/ssl.new/certs/68dd7389.0
writing /etc/ssl.new/certs/c28a8a30.0
writing /etc/ssl.new/certs/1e09d511.0
writing /etc/ssl.new/certs/6d41d539.0
writing /etc/ssl.new/certs/b433981b.0
writing /etc/ssl.new/certs/cd58d51e.0
writing /etc/ssl.new/certs/be133774.0
writing /etc/ssl.new/certs/244b5494.0
writing /etc/ssl.new/certs/5931b5bc.0
writing /etc/ssl.new/certs/b81b93f0.0
writing /etc/ssl.new/certs/40547a79.0
writing /etc/ssl.new/certs/ca6e4ad9.0
writing /etc/ssl.new/certs/90c5a3c8.0
writing /etc/ssl.new/certs/b0e59380.0
writing /etc/ssl.new/certs/bf53fb88.0
writing /etc/ssl.new/certs/bc2924b7.0
writing /etc/ssl.new/certs/06dc52d5.0
writing /etc/ssl.new/certs/8af2d467.0
writing /etc/ssl.new/certs/a3418fda.0
writing /etc/ssl.new/certs/6b9a4307.0
writing /etc/ssl.new/certs/dd8e9d41.0
writing /etc/ssl.new/certs/b5d79467.0
writing /etc/ssl.new/certs/780389f9.0
writing /etc/ssl.new/certs/dc4d6a89.0
writing /etc/ssl.new/certs/7a3adc42.0
writing /etc/ssl.new/certs/f39fc864.0
writing /etc/ssl.new/certs/8aac0ad6.0
writing /etc/ssl.new/certs/e868b802.0
writing /etc/ssl.new/certs/8160b96c.0
writing /etc/ssl.new/certs/2923b3f9.0
writing /etc/ssl.new/certs/02265526.0
writing /etc/ssl.new/certs/ce5e74ef.0
writing /etc/ssl.new/certs/4912691d.0
writing /etc/ssl.new/certs/3fb36b73.0
writing /etc/ssl.new/certs/940ae196.0
writing /etc/ssl.new/certs/09789157.0
writing /etc/ssl.new/certs/a94d09e5.0
writing /etc/ssl.new/certs/d4dae3dd.0
writing /etc/ssl.new/certs/8d89cda1.0
writing /etc/ssl.new/certs/626dceaf.0
writing /etc/ssl.new/certs/57bcb2da.0
writing /etc/ssl.new/certs/5f15c80c.0
writing /etc/ssl.new/certs/fb717492.0
writing /etc/ssl.new/certs/865fbdf9.0
writing /etc/ssl.new/certs/eed8c118.0
writing /etc/ssl.new/certs/7719f463.0
writing /etc/ssl.new/certs/7a780d93.0
writing /etc/ssl.new/certs/9d04f354.0
writing /etc/ssl.new/certs/1a6b61c8.0
writing /etc/ssl.new/certs/0f5dc4f3.0
writing /etc/ssl.new/certs/9245e478.0
writing /etc/ssl.new/certs/d9d79a66.0
writing /etc/ssl.new/certs/d52c538d.0
writing /etc/ssl.new/certs/c6b602e9.0
writing /etc/ssl.new/certs/3513523f.0
writing /etc/ssl.new/certs/e8599211.0
writing /etc/ssl.new/certs/f387163d.0
writing /etc/ssl.new/certs/9046744a.0
writing /etc/ssl.new/certs/3bde41ac.0
writing /etc/ssl.new/certs/d6325660.0
writing /etc/ssl.new/certs/e113c810.0
writing /etc/ssl.new/certs/5ad8a5d6.0
writing /etc/ssl.new/certs/35e514f6.0
writing /etc/ssl.new/certs/6b99d060.0
writing /etc/ssl.new/certs/9b5697b0.0
writing /etc/ssl.new/certs/4bfab552.0
writing /etc/ssl.new/certs/2ae6433e.0
writing /etc/ssl.new/certs/4b718d9b.0
writing /etc/ssl.new/certs/5eeeed34.0
writing /etc/ssl.new/certs/6fa5da56.0
writing /etc/ssl.new/certs/706f604c.0
writing /etc/ssl.new/certs/5860aaa6.0
writing /etc/ssl.new/certs/9c8dfbd4.0
writing /etc/ssl.new/certs/8f103249.0
writing /etc/ssl.new/certs/1e08bfd1.0
writing /etc/ssl.new/certs/ecccd8db.0
writing /etc/ssl.new/certs/0b9bc432.0
writing /etc/ssl.new/certs/7b1c186e.0
writing /etc/ssl.new/certs/08063a00.0
writing /etc/ssl.new/certs/0bf05006.0
writing /etc/ssl.new/certs/4ca5f54b.0
writing /etc/ssl.new/certs/e35234b1.0
writing /etc/ssl.new/certs/d7e8dc79.0
writing /etc/ssl.new/certs/4042bcee.0
writing /etc/ssl.new/certs/b7a5b843.0
writing /etc/ssl.new/certs/fd64f3fc.0
writing /etc/ssl.new/certs/fa5da96b.0
writing /etc/ssl.new/certs/f30dd6ad.0
writing /etc/ssl.new/certs/ee64a828.0
writing /etc/ssl.new/certs/40193066.0
writing /etc/ssl.new/certs/653b494a.0
writing /etc/ssl.new/certs/0179095f.0
writing /etc/ssl.new/certs/062cdee6.0
writing /etc/ssl.new/certs/b727005e.0
writing /etc/ssl.new/certs/4f316efb.0
writing /etc/ssl.new/certs/e8de2f56.0
writing /etc/ssl.new/certs/75d1b2ed.0
writing /etc/ssl.new/certs/607986c7.0
writing /etc/ssl.new/certs/ef954a4e.0
writing /etc/ssl.new/certs/773e07ad.0
writing /etc/ssl.new/certs/36971e57.0
writing /etc/ssl.new/certs/fe8a2cd8.0
writing /etc/ssl.new/certs/0b1b94ef.0
writing /etc/ssl.new/certs/1001acf7.0
writing /etc/ssl.new/certs/406c9bb1.0
writing /etc/ssl.new/certs/d887a5bb.0
writing /etc/ssl.new/certs/a89d74c2.0
writing /etc/ssl.new/certs/cd8c0d63.0
writing /etc/ssl.new/certs/da0cfd1d.0
writing /etc/ssl.new/certs/0a775a30.0
writing /etc/ssl.new/certs/c2cf79c6.0
writing /etc/ssl.new/certs/9482e63a.0
writing /etc/ssl.new/certs/930ac5d2.0
writing /etc/ssl.new/certs/3e359ba6.0
writing /etc/ssl.new/certs/7f3d5d1d.0
writing /etc/ssl.new/certs/de6d66f3.0
writing /etc/ssl.new/certs/ed858448.0
writing /etc/ssl.new/certs/96f028d4.0
writing /etc/ssl.new/certs/2b349938.0
writing /etc/ssl.new/certs/8508e720.0
writing /etc/ssl.new/certs/8d86cdd1.0
writing /etc/ssl.new/certs/3e1ec334.0
writing /etc/ssl.new/cert.pem
removing /etc/ssl.new/cert.pem
removing /etc/ssl.new/untrusted/116bf586.0
removing /etc/ssl.new/untrusted/157753a5.0
removing /etc/ssl.new/untrusted/1320b215.0
removing /etc/ssl.new/untrusted/9c2e7d30.0
removing /etc/ssl.new/untrusted/a8dee976.0
removing /etc/ssl.new/untrusted/349f2832.0
removing /etc/ssl.new/untrusted/5273a94c.0
removing /etc/ssl.new/untrusted/76cb8f92.0
removing /etc/ssl.new/untrusted/5c44d531.0
removing /etc/ssl.new/untrusted/dc45b0bd.0
removing /etc/ssl.new/untrusted/4d4ba017.0
removing /etc/ssl.new/untrusted/480720ec.0
removing /etc/ssl.new/untrusted/03179a64.0
removing /etc/ssl.new/untrusted/f90208f7.0
removing /etc/ssl.new/untrusted/cb59f961.0
removing /etc/ssl.new/untrusted/c089bbbd.0
removing /etc/ssl.new/untrusted/5a7722fb.0
removing /etc/ssl.new/untrusted/128805a3.0
removing /etc/ssl.new/untrusted/4a6481c9.0
removing /etc/ssl.new/untrusted/080911ac.0
removing /etc/ssl.new/untrusted/c0ff1f52.0
removing /etc/ssl.new/untrusted/26312675.0
removing /etc/ssl.new/untrusted/2e5ac55d.0
removing /etc/ssl.new/untrusted/5a4d6896.0
removing /etc/ssl.new/untrusted/def36a68.0
removing /etc/ssl.new/untrusted/7aaf71c0.0
removing /etc/ssl.new/untrusted/c47d9980.0
removing /etc/ssl.new/untrusted/861a399d.0
removing /etc/ssl.new/untrusted/442adcac.0
removing /etc/ssl.new/untrusted/3e44d2f7.0
removing /etc/ssl.new/untrusted/d853d49e.0
removing /etc/ssl.new/untrusted/66445960.0
removing /etc/ssl.new/untrusted/b1b8a7f3.0
removing /etc/ssl.new/untrusted/ee1365c0.0
removing /etc/ssl.new/untrusted/8867006a.0
removing /etc/ssl.new/untrusted/1636090b.0
removing /etc/ssl.new/untrusted/7d0b38bd.0
removing /etc/ssl.new/untrusted/2c543cd1.0
removing /etc/ssl.new/untrusted/c01cdfa2.0
removing /etc/ssl.new/untrusted/b204d74a.0
removing /etc/ssl.new/untrusted/ad088e1d.0
removing /etc/ssl.new/untrusted/0c4c9b6c.0
removing /etc/ssl.new/untrusted/6410666e.0
removing /etc/ssl.new/untrusted/3e45d192.0
removing /etc/ssl.new/untrusted/5d3033c5.0
removing /etc/ssl.new/untrusted/ba89ed3b.0
removing /etc/ssl.new/untrusted/62744ee1.0
removing /etc/ssl.new/untrusted/2e4eed3c.0
removing /etc/ssl.new/untrusted/4304c5e5.0
removing /etc/ssl.new/untrusted/0b7c536a.0
removing /etc/ssl.new/untrusted/e2799e36.0
removing /etc/ssl.new/untrusted
removing /etc/ssl.new/certs/ce5e74ef.0
removing /etc/ssl.new/certs/35e514f6.0
removing /etc/ssl.new/certs/3afae52b.0
removing /etc/ssl.new/certs/75d1b2ed.0
removing /etc/ssl.new/certs/1e09d511.0
removing /etc/ssl.new/certs/93bc0acc.0
removing /etc/ssl.new/certs/0e91b229.0
removing /etc/ssl.new/certs/b1159c4c.0
removing /etc/ssl.new/certs/0a775a30.0
removing /etc/ssl.new/certs/7a780d93.0
removing /etc/ssl.new/certs/cc450945.0
removing /etc/ssl.new/certs/31e09dd6.0
removing /etc/ssl.new/certs/4912691d.0
removing /etc/ssl.new/certs/cd8c0d63.0
removing /etc/ssl.new/certs/6b99d060.0
removing /etc/ssl.new/certs/68dd7389.0
removing /etc/ssl.new/certs/9482e63a.0
removing /etc/ssl.new/certs/e113c810.0
removing /etc/ssl.new/certs/c28a8a30.0
removing /etc/ssl.new/certs/a89d74c2.0
removing /etc/ssl.new/certs/2ae6433e.0
removing /etc/ssl.new/certs/5860aaa6.0
removing /etc/ssl.new/certs/5f618aec.0
removing /etc/ssl.new/certs/0f5dc4f3.0
removing /etc/ssl.new/certs/96f028d4.0
removing /etc/ssl.new/certs/9b46e03d.0
removing /etc/ssl.new/certs/76faf6c0.0
removing /etc/ssl.new/certs/ca6e4ad9.0
removing /etc/ssl.new/certs/3e1ec334.0
removing /etc/ssl.new/certs/706f604c.0
removing /etc/ssl.new/certs/8d89cda1.0
removing /etc/ssl.new/certs/fa5da96b.0
removing /etc/ssl.new/certs/e868b802.0
removing /etc/ssl.new/certs/8d86cdd1.0
removing /etc/ssl.new/certs/9846683b.0
removing /etc/ssl.new/certs/40547a79.0
removing /etc/ssl.new/certs/81841955.0
removing /etc/ssl.new/certs/06dc52d5.0
removing /etc/ssl.new/certs/c6b602e9.0
removing /etc/ssl.new/certs/0f6fa695.0
removing /etc/ssl.new/certs/1c683ff3.0
removing /etc/ssl.new/certs/7f3d5d1d.0
removing /etc/ssl.new/certs/780389f9.0
removing /etc/ssl.new/certs/08063a00.0
removing /etc/ssl.new/certs/9c8dfbd4.0
removing /etc/ssl.new/certs/5443e9e3.0
removing /etc/ssl.new/certs/1d3472b9.0
removing /etc/ssl.new/certs/749e9e03.0
removing /etc/ssl.new/certs/1e08bfd1.0
removing /etc/ssl.new/certs/5f15c80c.0
removing /etc/ssl.new/certs/09789157.0
removing /etc/ssl.new/certs/c2cf79c6.0
removing /etc/ssl.new/certs/f103366b.0
removing /etc/ssl.new/certs/d7e8dc79.0
removing /etc/ssl.new/certs/6b9a4307.0
removing /etc/ssl.new/certs/3210d285.0
removing /etc/ssl.new/certs/e8599211.0
removing /etc/ssl.new/certs/bf53fb88.0
removing /etc/ssl.new/certs/fc5a8f99.0
removing /etc/ssl.new/certs/3513523f.0
removing /etc/ssl.new/certs/ef954a4e.0
removing /etc/ssl.new/certs/9d04f354.0
removing /etc/ssl.new/certs/9ef4a08a.0
removing /etc/ssl.new/certs/f249de83.0
removing /etc/ssl.new/certs/b81b93f0.0
removing /etc/ssl.new/certs/b0e59380.0
removing /etc/ssl.new/certs/5e98733a.0
removing /etc/ssl.new/certs/9f4c149e.0
removing /etc/ssl.new/certs/f30dd6ad.0
removing /etc/ssl.new/certs/5931b5bc.0
removing /etc/ssl.new/certs/626dceaf.0
removing /etc/ssl.new/certs/4b718d9b.0
removing /etc/ssl.new/certs/5ad8a5d6.0
removing /etc/ssl.new/certs/930ac5d2.0
removing /etc/ssl.new/certs/c01eb047.0
removing /etc/ssl.new/certs/0bf05006.0
removing /etc/ssl.new/certs/feffd413.0
removing /etc/ssl.new/certs/a3418fda.0
removing /etc/ssl.new/certs/8160b96c.0
removing /etc/ssl.new/certs/8aac0ad6.0
removing /etc/ssl.new/certs/be133774.0
removing /etc/ssl.new/certs/40193066.0
removing /etc/ssl.new/certs/1001acf7.0
removing /etc/ssl.new/certs/940ae196.0
removing /etc/ssl.new/certs/5cd81ad7.0
removing /etc/ssl.new/certs/de6d66f3.0
removing /etc/ssl.new/certs/e8de2f56.0
removing /etc/ssl.new/certs/fd64f3fc.0
removing /etc/ssl.new/certs/6fa5da56.0
removing /etc/ssl.new/certs/2923b3f9.0
removing /etc/ssl.new/certs/e35234b1.0
removing /etc/ssl.new/certs/dc4d6a89.0
removing /etc/ssl.new/certs/3e359ba6.0
removing /etc/ssl.new/certs/ed858448.0
removing /etc/ssl.new/certs/4ca5f54b.0
removing /etc/ssl.new/certs/018eb42d.0
removing /etc/ssl.new/certs/406c9bb1.0
removing /etc/ssl.new/certs/0c6840e5.0
removing /etc/ssl.new/certs/f51bb24c.0
removing /etc/ssl.new/certs/0b9bc432.0
removing /etc/ssl.new/certs/2b349938.0
removing /etc/ssl.new/certs/0b1b94ef.0
removing /etc/ssl.new/certs/fe8a2cd8.0
removing /etc/ssl.new/certs/90c5a3c8.0
removing /etc/ssl.new/certs/f3377b1b.0
removing /etc/ssl.new/certs/106f3e4d.0
removing /etc/ssl.new/certs/8f103249.0
removing /etc/ssl.new/certs/eed8c118.0
removing /etc/ssl.new/certs/7a3adc42.0
removing /etc/ssl.new/certs/7b1c186e.0
removing /etc/ssl.new/certs/55683be0.0
removing /etc/ssl.new/certs/3fb36b73.0
removing /etc/ssl.new/certs/773e07ad.0
removing /etc/ssl.new/certs/0179095f.0
removing /etc/ssl.new/certs/064e0aa9.0
removing /etc/ssl.new/certs/36971e57.0
removing /etc/ssl.new/certs/4042bcee.0
removing /etc/ssl.new/certs/48bec511.0
removing /etc/ssl.new/certs/8508e720.0
removing /etc/ssl.new/certs/18bd5750.0
removing /etc/ssl.new/certs/f0c70a8d.0
removing /etc/ssl.new/certs/865fbdf9.0
removing /etc/ssl.new/certs/cd58d51e.0
removing /etc/ssl.new/certs/d4dae3dd.0
removing /etc/ssl.new/certs/b66938e9.0
removing /etc/ssl.new/certs/e18bfb83.0
removing /etc/ssl.new/certs/653b494a.0
removing /etc/ssl.new/certs/b5d79467.0
removing /etc/ssl.new/certs/17c10339.0
removing /etc/ssl.new/certs/d52c538d.0
removing /etc/ssl.new/certs/5eeeed34.0
removing /etc/ssl.new/certs/607986c7.0
removing /etc/ssl.new/certs/4bfab552.0
removing /etc/ssl.new/certs/988a38cb.0
removing /etc/ssl.new/certs/e73d606e.0
removing /etc/ssl.new/certs/ecccd8db.0
removing /etc/ssl.new/certs/ff34af3f.0
removing /etc/ssl.new/certs/bd411d1f.0
removing /etc/ssl.new/certs/f387163d.0
removing /etc/ssl.new/certs/b433981b.0
removing /etc/ssl.new/certs/e36a6752.0
removing /etc/ssl.new/certs/57bcb2da.0
removing /etc/ssl.new/certs/6d41d539.0
removing /etc/ssl.new/certs/da0cfd1d.0
removing /etc/ssl.new/certs/bc2924b7.0
removing /etc/ssl.new/certs/244b5494.0
removing /etc/ssl.new/certs/b7a5b843.0
removing /etc/ssl.new/certs/54657681.0
removing /etc/ssl.new/certs/32888f65.0
removing /etc/ssl.new/certs/a94d09e5.0
removing /etc/ssl.new/certs/4158715d.0
removing /etc/ssl.new/certs/18856ac4.0
removing /etc/ssl.new/certs/8af2d467.0
removing /etc/ssl.new/certs/9245e478.0
removing /etc/ssl.new/certs/d887a5bb.0
removing /etc/ssl.new/certs/002c0b4f.0
removing /etc/ssl.new/certs/aee5f10d.0
removing /etc/ssl.new/certs/d9d79a66.0
removing /etc/ssl.new/certs/f081611a.0
removing /etc/ssl.new/certs/4f316efb.0
removing /etc/ssl.new/certs/9b5697b0.0
removing /etc/ssl.new/certs/9f727ac7.0
removing /etc/ssl.new/certs/062cdee6.0
removing /etc/ssl.new/certs/cbf06781.0
removing /etc/ssl.new/certs/b727005e.0
removing /etc/ssl.new/certs/7719f463.0
removing /etc/ssl.new/certs/d6325660.0
removing /etc/ssl.new/certs/9046744a.0
removing /etc/ssl.new/certs/1a6b61c8.0
removing /etc/ssl.new/certs/fb717492.0
removing /etc/ssl.new/certs/ee64a828.0
removing /etc/ssl.new/certs/0e436b80.0
removing /etc/ssl.new/certs/8cb5ee0f.0
removing /etc/ssl.new/certs/f39fc864.0
removing /etc/ssl.new/certs/dd8e9d41.0
removing /etc/ssl.new/certs/02265526.0
removing /etc/ssl.new/certs/14bc7599.0
removing /etc/ssl.new/certs/3bde41ac.0
removing /etc/ssl.new/certs/2c3a2e0f.0
removing /etc/ssl.new/certs
removing /etc/ssl.new
# certctl list | wc -l
       0
# tree /etc/ssl/
/etc/ssl/
└── openssl.cnf

1 directory, 1 file

Well, nothing there. More than that it causes the following questions:

  • What is the purpose of /etc/ssl.new/untrusted/<hash>.<number>? Who is supposed to use that? Not clear, causes confusion.
  • Why is /etc/ssl recreated? Consider that I have custom files in /etc/ssl, I bet there will be gone. It should only touch /etc/ssl/certs.
  • Maybe something from mktemp() would be better suited than .new suffix? mkdtemp()?

truss output is attached: F69853271

Michael, do you understand the concept of a work in progress?

In D42320#966578, @des wrote:

Michael, do you understand the concept of a work in progress?

Yes, I do. That is why I provided a first review since you requested me as reviewer.

In D42320#966578, @des wrote:

Michael, do you understand the concept of a work in progress?

Please take your time to reach the code quality you expect and ping me. I'd be more than happy to review again.

This revision now requires review to proceed.Oct 26 2023, 9:21 PM

Would it be wise or a good idea to integrate Capsicum?

In D42320#1173389, @des wrote:

progress

Is this one good to be reviewed or should I wait again?

des edited the summary of this revision. (Show Details)

fix buildworld

des edited the summary of this revision. (Show Details)

update

@des Should I give this another try? I can allocate some time to review and test this month.

des retitled this revision from certctl: Reimplement in C. to certctl: Reimplement in C.Aug 2 2025, 12:23 PM

I did a cursory review and a quick test. This seems to do what it says on the box. I have not had time for an in-depth review. I think this is good to commit to main before stable/15.

kevans added inline comments.
usr.sbin/certctl/certctl.c
119

IMO this would be a bit more readable with strchrnul() instead

444

Missing mode argument for O_CREAT

635

This seems backwards? (ditto for save_untrusted)

799

Missing return

1018

certctl_trust and certctl_untrust are both written under the assumption that argv starts at files to load, but the other three seem to assume you've left the command verb here. As a result, untrust throws weird errors because it passes the verb to read_cert().

des edited the summary of this revision. (Show Details)

review feedback

des marked 5 inline comments as done.Aug 9 2025, 11:19 AM
des marked 6 inline comments as done.

Ah, I had pictured something more like:

while (*str != '\0') {
        p = strchrnul(str, ':');
        if (p != str && (paths[i++] = strndup(str, p - str)) == NULL)
                err(1, NULL);
        str = p + (*p == '\0' ? 0 : 1);
}

and ditching q entirely, but I don't really feel that strongly about it.
(edit: missed incrementing i)

This revision is now accepted and ready to land.Aug 9 2025, 2:51 PM
This revision now requires review to proceed.Aug 10 2025, 1:17 AM
des added inline comments.
usr.sbin/certctl/certctl.c
829

arguably redundant

We should note a TODO somewhere to handle CRLs properly (@michaelo's note about OpenSSL requiring them to be .r%d instead), but given that that isn't a regression I'd be happy for us to iterate on that after landing this.

This revision is now accepted and ready to land.Aug 12 2025, 3:48 AM

We should note a TODO somewhere to handle CRLs properly (@michaelo's note about OpenSSL requiring them to be .r%d instead), but given that that isn't a regression I'd be happy for us to iterate on that after landing this.

certctl isn't currently able to read CRLs at all, they will be silently ignored. I'll look into it, but I don't have any real-world test data.

I should add that the shell script version of certctl will handle CRLs, but by accident, not by design. If we're going to add CRL support to the C version, we need to decide where we're going to look for them and document it.

This revision was automatically updated to reflect the committed changes.