Using system SSL certificates...

[Benjamin Long]

On Friday 29 January 2010 08:04:06 am Pierre Schmitz wrote:
> Am Freitag, 29. Januar 2010 08:45:04 schrieb Thiago Macieira:
> > > I was thinking that Firefox uses those system certificates as well, but
> > > it doesn't, as SadEagle and bradh told me on IRC. We also located where
> > > Firefox stores its certificates, unfortunately it's binary and inside a
> > > library. So I change the suggestion to: keep using our own certificate
> > > bundle and occasionally just download and sync with whatever Firefox
> > > uses from the Mozilla repository. i'll look into making a script for
> > > that. The other things that I wrote still stand.
> >
> > I've already made a script to do that. Actually, a Qt program.
> >
> > I'll probably update Qt's certificate list with the Firefox ones for the
> > next  Qt version.
> >
> > So all KDE has to do is stop overriding Qt's default certificate bundle.
> 
> I would appreciate if KDE and Qt would use the system wide cert bundle
> (optionally configurable at build time).
> 
> ATM I use this workaround for kdelibs:
> 
>         rm -f /usr/share/apps/kssl/ca-bundle.crt
>         ln -sf /etc/ssl/certs/ca-certificates.crt \
>                /usr/share/apps/kssl/ca-bundle.crt
> 
> and this patch for Qt (afaik from fedora, sorry for the additonal line
>  breaks)
> <CODE SNIP> 

Here where I work I do:

ln -s /etc/ssl/certs/ca-certificates.crt ~/.kde/share/apps/kssl/ca-bundle.crt

I do this for every user on my network so KDE uses the system certs, which 
include our own private CA. I wish Firefox used the system certs as well, as 
the only way to add a private CA there is to create an addon that installs it. 
At least Firefox is just web browsing and not mail and other servers. 
Administering it all would be much more of a PITA if KDE couldn't be set up to 
use the system certs.
This is on Debian/Ubuntu, btw.

Please, whatever you do make sure that I can add CA's to the system from a 
script. :P

Benjamin Long