Copyright (c) 2010 Oracle and/or its affiliats. All rights reserved. 1. Introduction 1.1. Project/Component Working Name: Default system CA (X.509) Certificates 1.2. Name of Document Author/Supplier: Author: Darren Moffat 1.3 Date of This Document: Jun 16th 20101 4. Technical Description Background ---------- OpenSolaris does not currently ship a set of X.509 CA certs in a format suitable for use by OpenSSL consumers. This was a concious decision made when the Cryptographic Framework and Key Management Framework projects were initially designed. The intent was that we the OS vendor shouldn't tell you who to trust. There are/were also political issues on choosing which certificates appear in the list of CA certs. OpenSSL previously included a set of CA files in PEM format. Solaris has never included those and the upstream OpenSSL community no longer provides them. However this has a significant usability impacts on several existing and future components including (but not limited to): wget(1), curl(1), openssl(1), pkg(5), neon(3), WebKit OpenSolaris/Solaris need to deliver a set of CA certs in PEM format in a system wide location for use by those applications. These applications do not need to be changed to use this as it is an API option or CLI option to use a CA cert bundle, eg: $ openssl s_client -CApath /etc/certs/cacert.pem -connect www.example.com:443 $ curl --capath /etc/certs/CA https://www.example.com Proposal -------- This case is about the architecture of where and in what format CA certifcates are delivered. The specific list of certs to deliver is a "business" issue for any given distribution. The project team intends to initially deliver the same set of CA certificates that is used in the Mozilla NSS libraries. The project team reserves the right to revise the exact list of certificates and/or choose an entirely different source of certifcates at anytime without requiring further ARC review. A separate X.509 certificate in PEM format for each CA will be placed in /etc/certs/CA/. The files will be named by taking the X.509 DN and replacing the spaces and other unprintables with an '_'. A symlink named using the 'openssl x509 hash' command to each of those PEM files is also created for those consumers that do fast lookups using a hash of the cert DN. The package name is pkg:/system/ca-certs Exported Interfaces +---------------------------------------------------------+ | pkg:/system/ca-certs | Volatile | | /etc/certs/CA/ [1] | Committed | | format CA files (PEM) | Committed | | Exact list of CA files | Volatile | +---------------------------------------------------------+ [1] Note that the /etc/certs directory already exists and is a delivered component of Solaris (via pkg:/SUNWcs). Related Cases ------------- LSARC/2001/373 Delivery of the Sun Certificates 6. Resources and Schedule 6.4. Steering Committee requested information 6.4.1. Consolidation C-team Name: ON 6.5. ARC review type: FastTrack 6.6. ARC Exposure: open