This is a Proof of Concept which provides a ca-merge utliity in the
ca_root_nss package. An update to ftp/curl is included. Explanation
This is roughly inspired by the RHEL utility update-ca-trust(8)
Open PRs: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=160387 and https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229329
The overall design is as follows:
1. /usr/local/share/certs/ca-root-nss.crt is no longer the canonical
root. This is merely the roots that FreeBSD ships via this package. The true
CA root will change to /usr/local/etc/ssl/cert.pem. All symlinks that
pointed to ca-root-nss.crt will now point to this cert.pem instead. This
is intentional. I do not believe ca-root-nss.crt as shipped by this
package should ever be modified.
This also means every port in the tree that we have set the CA path to
ca-root-nss.crt also needs a modification and a PORTREVISION bump.
2. Include ca-merge script which finds files in PEM/DER format in a
designated location. This script is run automatically each time the
package is installed and can be run on demand by users as well. This
guarantees updates will not break CAs. This script deserves thorough
review, but it should have reasonable level of error handling at this
time. At no point should a system be left with a broken or missing CA
root. The script's failure mode is to simply install the ca-root-nss.crt
as the root CA. It is currently working for me as expected.
3. No longer execute the lang/mono cert-sync utility at pkg install
time. This is automatically handled by the ca-merge utility and will
guarantee that OpenSSL-consumers, Mono, and Java* apps will all get the
same CA roots trusted.
I have intentionally chosen to mimic the directory structure of the RHEL
update-ca-trust utility as I imagine this could grow further
capabilities as time goes on. The update-ca-trust utliity also makes it
easy to blacklist CAs, for example.
I also feel like this is going to require some documentation and/or a man page.
* Java is not supported yet. I need to understand how to build a jks
from the PEM and work with the Java port maintainers to ensure we can
install a single jks that all OpenJDKs will use.