1f27f39dbSKyle Evans 2f27f39dbSKyle EvansThis directory contains the scripts to update the TLS CA Root Certificates 3f27f39dbSKyle Evansthat comprise the 'root trust store'. 4f27f39dbSKyle Evans 5f27f39dbSKyle EvansThe 'updatecerts' make target should be run periodically by secteam@ 6f27f39dbSKyle Evansspecifically when there is an important change to the list of trusted root 7f27f39dbSKyle Evanscertificates included by Mozilla. 8f27f39dbSKyle Evans 9f27f39dbSKyle EvansIt will: 10f27f39dbSKyle Evans 1) Remove the old trusted certificates (cleancerts) 11f27f39dbSKyle Evans 2) Download the latest certdata.txt from Mozilla (fetchcerts) 12f27f39dbSKyle Evans 3) Split certdata.txt into the individual .pem files (updatecerts) 13f27f39dbSKyle Evans 14*160959dfSLi-Wen HsuThen the results should manually be inspected (git status) 15f27f39dbSKyle Evans 1) Any no-longer-trusted certificates should be moved to the 1664e6e1e4SCeri Davies untrusted directory (git mv) 1764e6e1e4SCeri Davies 2) any newly added certificates will need to be added (git add) 18f27f39dbSKyle Evans 19f27f39dbSKyle Evans 20f27f39dbSKyle EvansThe following make targets exist: 21f27f39dbSKyle Evans 22f27f39dbSKyle Evanscleancerts: 23f27f39dbSKyle Evans Delete the old certificates, run as a dependency of updatecerts. 24f27f39dbSKyle Evans 25f27f39dbSKyle Evansfetchcerts: 26f27f39dbSKyle Evans Download the latest certdata.txt from the Mozilla NSS hg repo 27f27f39dbSKyle Evans See the changelog here: 28f27f39dbSKyle Evans https://hg.mozilla.org/projects/nss/log/tip/lib/ckfw/builtins/certdata.txt 29f27f39dbSKyle Evans 30f27f39dbSKyle Evansupdatecerts: 31f27f39dbSKyle Evans Runs a perl script (MAca-bundle.pl) on the downloaded certdata.txt 32f27f39dbSKyle Evans to generate the individual certificate files (.pem) and store them 33f27f39dbSKyle Evans in the trusted/ directory. 34