From: Tomasz Swierczek Date: Thu, 31 Oct 2024 08:35:26 +0000 (+0100) Subject: Add README file with instructions for managing the certificates X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fheads%2Ftizen;p=platform%2Fcore%2Fsecurity%2Fca-certificates.git Add README file with instructions for managing the certificates Change-Id: I72266891b93c873c63f79cbb40541dac3b23bbd1 --- diff --git a/README b/README new file mode 100644 index 0000000..72535f5 --- /dev/null +++ b/README @@ -0,0 +1,26 @@ +ca-certificates package - collection of root CA certificates + +Updating the certificates - manual +---------------------------------- + +1. Download the certificates from AOSP project + - clone the repository https://android.googlesource.com/platform/system/ca-certificates + - checkout to master branch & take the certs from its ./files/ directory +2. Download the certificates from Mozilla + - visit https://wiki.mozilla.org/CA/Included_Certificates + - download the txt file named "PEM of Root Certificates in Mozilla's Root Store with the Websites (TLS/SSL) Trust Bit Enabled" + - the file contains all certs concatenated - you can split them using the parse-mozilla-certificates.py script from ./scripts/ directory +3. Merge the certificates into one set & remove duplicates & name them properly + - use script merge-certs-info.py from ./scripts/ directory in this repository + - as one of the input directory, you can use existing ./certs/ + - thats handy especially since theoretically, some certs can be added manually from outside of the mentioned two sources + - this way you'll not remove them! + - make sure to use NEW empty directory for output parameter + - pay attention to use --remove-expired flag in the script or you can leave expired ones + - replace contents of the ./certs/ directory with newly created set (from now no-longer-empty directory created above) + - the script outputs the tab-separated data about found certificates - it doesn't have to be captured (only if explicitly requested) + +Checking for expired ones +------------------------- + +1. Use the script check-expired-certs.sh from ./scripts/ directory