|
|
13173e |
////
|
|
|
13173e |
Copyright (C) 2013 Red Hat, Inc.
|
|
|
13173e |
|
|
|
13173e |
This program is free software; you can redistribute it and/or modify
|
|
|
13173e |
it under the terms of the GNU General Public License as published by
|
|
|
13173e |
the Free Software Foundation; either version 2 of the License, or
|
|
|
13173e |
(at your option) any later version.
|
|
|
13173e |
|
|
|
13173e |
This program is distributed in the hope that it will be useful,
|
|
|
13173e |
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
13173e |
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
13173e |
GNU General Public License for more details.
|
|
|
13173e |
////
|
|
|
13173e |
|
|
|
13173e |
|
|
|
13173e |
ca-legacy(8)
|
|
|
13173e |
============
|
|
|
13173e |
:doctype: manpage
|
|
|
13173e |
:man source: ca-legacy
|
|
|
13173e |
|
|
|
13173e |
|
|
|
13173e |
NAME
|
|
|
13173e |
----
|
|
|
13173e |
ca-legacy - Manage the system configuration for legacy CA certificates
|
|
|
13173e |
|
|
|
13173e |
|
|
|
13173e |
SYNOPSIS
|
|
|
13173e |
--------
|
|
|
13173e |
*ca-legacy* ['COMMAND']
|
|
|
13173e |
|
|
|
13173e |
|
|
|
13173e |
DESCRIPTION
|
|
|
13173e |
-----------
|
|
|
13173e |
ca-legacy(8) is used to include or exclude a set of legacy Certificate Authority (CA)
|
|
|
13173e |
certificates in the system's list of trusted CA certificates.
|
|
|
13173e |
|
|
|
13173e |
The list of CA certificates and trust flags included in the ca-certificates package
|
|
|
13173e |
are based on the decisions made by Mozilla.org according to the Mozilla CA policy.
|
|
|
13173e |
|
|
|
13173e |
Occasionally, removal or distrust decisions made by Mozilla.org might be incompatible with the requirements
|
|
|
13173e |
or limitations of some applications that also use the CA certificates list in the Linux environment.
|
|
|
13173e |
|
|
|
13173e |
The ca-certificates package might keep some CA certificates included and trusted by default,
|
|
|
13173e |
as long as it is seen necessary by the maintainers, despite the fact that they have
|
|
|
13173e |
been removed by Mozilla. These certificates are called legacy CA certificates.
|
|
|
13173e |
|
|
|
13173e |
The general requirements to keep legacy CA certificates included and trusted might change over time,
|
|
|
13173e |
for example if functional limitations of software packages have been resolved.
|
|
|
13173e |
Future versions of the ca-certificates package might reduce the set of legacy CA certificates
|
|
|
13173e |
that are included and trusted by default.
|
|
|
13173e |
|
|
|
13173e |
The ca-legacy(8) command can be used to override the default behaviour.
|
|
|
13173e |
|
|
|
13173e |
The mechanisms to individually trust or distrust CA certificates as described in update-ca-trust(8) still apply.
|
|
|
13173e |
|
|
|
13173e |
|
|
|
13173e |
COMMANDS
|
|
|
13173e |
--------
|
|
|
13173e |
*check*::
|
|
|
13173e |
The current configuration will be shown.
|
|
|
13173e |
|
|
|
13173e |
*default*::
|
|
|
13173e |
Configure the system to use the default configuration, as recommended
|
|
|
13173e |
by the package maintainers.
|
|
|
13173e |
|
|
|
13173e |
*disable*::
|
|
|
13173e |
Configure the system to explicitly disable legacy CA certificates.
|
|
|
13173e |
Using this configuration, the system will use the set of
|
|
|
13173e |
included and trusted CA certificates as released by Mozilla.
|
|
|
13173e |
|
|
|
13173e |
*install*::
|
|
|
13173e |
The configuration file will be read and the system configuration
|
|
|
13173e |
will be set accordingly. This command is executed automatically during
|
|
|
13173e |
upgrades of the ca-certificates package.
|
|
|
13173e |
|
|
|
13173e |
|
|
|
13173e |
FILES
|
|
|
13173e |
-----
|
|
|
13173e |
/etc/pki/ca-trust/ca-legacy.conf::
|
|
|
13173e |
A configuration file that will be used and modified by the ca-legacy command.
|
|
|
13173e |
The contents of the configuration file will be read on package upgrades.
|
|
|
13173e |
|
|
|
13173e |
AUTHOR
|
|
|
13173e |
------
|
|
|
13173e |
Written by Kai Engert.
|