xref: /freebsd/secure/caroot/README (revision 2e3f49888ec8851bafb22011533217487764fdb0)
1
2This directory contains the scripts to update the TLS CA Root Certificates
3that comprise the 'root trust store'.
4
5The 'updatecerts' make target should be run periodically by secteam@
6specifically when there is an important change to the list of trusted root
7certificates included by Mozilla.
8
9It will:
10	1) Remove the old trusted certificates (cleancerts)
11	2) Download the latest certdata.txt from Mozilla (fetchcerts)
12	3) Split certdata.txt into the individual .pem files (updatecerts)
13
14Then the results should manually be inspected (git status)
15	1) Any no-longer-trusted certificates should be moved to the
16	untrusted directory (git mv)
17	2) any newly added certificates will need to be added (git add)
18
19
20The following make targets exist:
21
22cleancerts:
23	Delete the old certificates, run as a dependency of updatecerts.
24
25fetchcerts:
26	Download the latest certdata.txt from the Mozilla NSS hg repo
27	See the changelog here:
28		https://hg.mozilla.org/projects/nss/log/tip/lib/ckfw/builtins/certdata.txt
29
30updatecerts:
31	Runs a perl script (MAca-bundle.pl) on the downloaded certdata.txt
32	to generate the individual certificate files (.pem) and store them
33	in the trusted/ directory.
34