1*f27f39dbSKyle Evans# $FreeBSD$ 2*f27f39dbSKyle Evans 3*f27f39dbSKyle EvansThis directory contains the scripts to update the TLS CA Root Certificates 4*f27f39dbSKyle Evansthat comprise the 'root trust store'. 5*f27f39dbSKyle Evans 6*f27f39dbSKyle EvansThe 'updatecerts' make target should be run periodically by secteam@ 7*f27f39dbSKyle Evansspecifically when there is an important change to the list of trusted root 8*f27f39dbSKyle Evanscertificates included by Mozilla. 9*f27f39dbSKyle Evans 10*f27f39dbSKyle EvansIt will: 11*f27f39dbSKyle Evans 1) Remove the old trusted certificates (cleancerts) 12*f27f39dbSKyle Evans 2) Download the latest certdata.txt from Mozilla (fetchcerts) 13*f27f39dbSKyle Evans 3) Split certdata.txt into the individual .pem files (updatecerts) 14*f27f39dbSKyle Evans 15*f27f39dbSKyle EvansThen the results should manually be inspected (svn status) 16*f27f39dbSKyle Evans 1) Any no-longer-trusted certificates should be moved to the 17*f27f39dbSKyle Evans blacklisted directory (svn mv) 18*f27f39dbSKyle Evans 2) any newly added certificates will need to be added (svn add) 19*f27f39dbSKyle Evans 20*f27f39dbSKyle Evans 21*f27f39dbSKyle EvansThe following make targets exist: 22*f27f39dbSKyle Evans 23*f27f39dbSKyle Evanscleancerts: 24*f27f39dbSKyle Evans Delete the old certificates, run as a dependency of updatecerts. 25*f27f39dbSKyle Evans 26*f27f39dbSKyle Evansfetchcerts: 27*f27f39dbSKyle Evans Download the latest certdata.txt from the Mozilla NSS hg repo 28*f27f39dbSKyle Evans See the changelog here: 29*f27f39dbSKyle Evans https://hg.mozilla.org/projects/nss/log/tip/lib/ckfw/builtins/certdata.txt 30*f27f39dbSKyle Evans 31*f27f39dbSKyle Evansupdatecerts: 32*f27f39dbSKyle Evans Runs a perl script (MAca-bundle.pl) on the downloaded certdata.txt 33*f27f39dbSKyle Evans to generate the individual certificate files (.pem) and store them 34*f27f39dbSKyle Evans in the trusted/ directory. 35