public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
Search results ordered by [date|relevance]  view[summary|nested|Atom feed]
thread overview below | download: 
* Re: [gentoo-user] app-misc/ca-certificates
  @ 2021-06-01 21:05 99%   ` Grant Taylor
  0 siblings, 0 replies; 1+ results
From: Grant Taylor @ 2021-06-01 21:05 UTC (permalink / raw
  To: gentoo-user

On 5/29/21 12:26 AM, Walter Dnes wrote:
> Looking through them is "interesting".  There seem to be a lot of 
> /etc/ssl/certs/????????.0 files, where "?" is either a random number 
> or a lower case letter.

They aren't random at all.  They are a fingerprint (hash) of signing (?) 
certificates.  The fingerprint is generated in a deterministic manner.

The sym-links (or hard links) are a convenient way to associate a hash 
back to the cert file that it's representing.

root@host#  ln -s /path/to/cert /etc/ssl/certs/$(openssl x509 -noout 
-hash -in /path/to/cert)

The hash is what things validating things use.  They have no good way to 
determine what the file name would be.  So they compute and look up the 
hash.

You could name all the files with hashes.  But that would make it quite 
annoying ~> difficult, impractical, bordering on impossible for a human 
to maintain.  So, instead, the trusted root certificates are stored by a 
human friendly name and the hashes point to the file via a sym-link.

> These all seem to be symlinks to /etc/ssl/certs/<Some_Name>.pem. 

Quite likely.

> Each of those files is in turn a symlink 
> to/usr/share/ca-certificates/mozilla/<Some_Name>.crt.

Maybe / probably.  Definitely for root certificates that are part of the 
Mozilla Security Suite.  But it's definitely possible to have other root 
certificates through the same system.  E.g. you run your own private / 
enterprise CA.

> Any other suspicious regimes in there?

I'm confident that it depends on where you are in the world.

Let's keep things apolitical and purely technical.



-- 
Grant. . . .
unix || die


^ permalink raw reply	[relevance 99%]

Results 1-1 of 1 | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2021-05-29  1:08     [gentoo-user] app-misc/ca-certificates zcampe
2021-05-29  6:26     ` Walter Dnes
2021-06-01 21:05 99%   ` Grant Taylor

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox