b01320
////
b01320
Copyright (C) 2013 Red Hat, Inc.
b01320
b01320
This program is free software; you can redistribute it and/or modify
b01320
it under the terms of the GNU General Public License as published by
b01320
the Free Software Foundation; either version 2 of the License, or
b01320
(at your option) any later version.
b01320
b01320
This program is distributed in the hope that it will be useful,
b01320
but WITHOUT ANY WARRANTY; without even the implied warranty of
b01320
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
b01320
GNU General Public License for more details.
b01320
////
b01320
b01320
b01320
ca-legacy(8)
b01320
============
b01320
:doctype: manpage
b01320
:man source: ca-legacy
b01320
b01320
b01320
NAME
b01320
----
b01320
ca-legacy - Manage the system configuration for legacy CA certificates
b01320
b01320
b01320
SYNOPSIS
b01320
--------
b01320
*ca-legacy* ['COMMAND']
b01320
b01320
b01320
DESCRIPTION
b01320
-----------
b01320
ca-legacy(8) is used to include or exclude a set of legacy Certificate Authority (CA)
b01320
certificates in the system's list of trusted CA certificates.
b01320
b01320
The list of CA certificates and trust flags included in the ca-certificates package
b01320
are based on the decisions made by Mozilla.org according to the Mozilla CA policy.
b01320
b01320
Occasionally, removal or distrust decisions made by Mozilla.org might be incompatible with the requirements
b01320
or limitations of some applications that also use the CA certificates list in the Linux environment.
b01320
b01320
The ca-certificates package might keep some CA certificates included and trusted by default,
b01320
as long as it is seen necessary by the maintainers, despite the fact that they have
b01320
been removed by Mozilla. These certificates are called legacy CA certificates.
b01320
b01320
The general requirements to keep legacy CA certificates included and trusted might change over time,
b01320
for example if functional limitations of software packages have been resolved.
b01320
Future versions of the ca-certificates package might reduce the set of legacy CA certificates
b01320
that are included and trusted by default.
b01320
b01320
The ca-legacy(8) command can be used to override the default behaviour.
b01320
b01320
The mechanisms to individually trust or distrust CA certificates as described in update-ca-trust(8) still apply.
b01320
b01320
b01320
COMMANDS
b01320
--------
b01320
*check*::
b01320
    The current configuration will be shown.
b01320
b01320
*default*::
b01320
    Configure the system to use the default configuration, as recommended
b01320
    by the package maintainers.
b01320
b01320
*disable*::
b01320
    Configure the system to explicitly disable legacy CA certificates.
b01320
    Using this configuration, the system will use the set of
b01320
    included and trusted CA certificates as released by Mozilla.
b01320
b01320
*install*::
b01320
    The configuration file will be read and the system configuration
b01320
    will be set accordingly. This command is executed automatically during
b01320
    upgrades of the ca-certificates package.
b01320
b01320
b01320
FILES
b01320
-----
b01320
/etc/pki/ca-trust/ca-legacy.conf::
b01320
	A configuration file that will be used and modified by the ca-legacy command.
b01320
    The contents of the configuration file will be read on package upgrades.
b01320
b01320
AUTHOR
b01320
------
b01320
Written by Kai Engert.