For some of our services we use SSL certificates which are signed using the local university CA. On Redhat systems to get applications such as firefox to trust this CA we have always had to hackily patch and rebuild the nss packages. This has always been a rather undesirable situation since it means we need to ensure we keep up-to-date with security releases. Also, every time there is a new release the package tends to change just enough to mean the patches need reworking, this all means that our solution to this problem has been rather fragile.
Thankfully Redhat have now provided a nice solution which makes it trivial to solve this problem. They have enhanced the ca-certificates
package to provide an update-ca-trust
script, see the Redhat announcement for full details. What it now boils down to is the simple process of placing your pem
or DER
file into the /etc/pki/ca-trust/source/anchors/
directory and then running the update-ca-trust
script.
To make it even easier the local eucs-sslcerts
package will be updated to store the CA file into the correct location and run the script from its post-install script.
As an added bonus, the eucs-sslcerts
package will now be included in the LCFG installer so that it is possible to trust LCFG servers using https with a locally signed certificate.