xref: /freebsd/secure/caroot/README (revision f01edb6f5d55fe093f8ab9c5da2b1707af698a56)
1# $FreeBSD$
2
3This directory contains the scripts to update the TLS CA Root Certificates
4that comprise the 'root trust store'.
5
6The 'updatecerts' make target should be run periodically by secteam@
7specifically when there is an important change to the list of trusted root
8certificates included by Mozilla.
9
10It will:
11	1) Remove the old trusted certificates (cleancerts)
12	2) Download the latest certdata.txt from Mozilla (fetchcerts)
13	3) Split certdata.txt into the individual .pem files (updatecerts)
14
15Then the results should manually be inspected (svn status)
16	1) Any no-longer-trusted certificates should be moved to the
17	blacklisted directory (svn mv)
18	2) any newly added certificates will need to be added (svn add)
19
20
21The following make targets exist:
22
23cleancerts:
24	Delete the old certificates, run as a dependency of updatecerts.
25
26fetchcerts:
27	Download the latest certdata.txt from the Mozilla NSS hg repo
28	See the changelog here:
29		https://hg.mozilla.org/projects/nss/log/tip/lib/ckfw/builtins/certdata.txt
30
31updatecerts:
32	Runs a perl script (MAca-bundle.pl) on the downloaded certdata.txt
33	to generate the individual certificate files (.pem) and store them
34	in the trusted/ directory.
35