Bug#945274: ca-certificates: Deal with multiple certificates per .crt file
-----BEGIN PGP SIGNED MESSAGE-----
When joining a machine to a FreeIPA domain, the domain's trusted
certificates are placed in
</usr/local/share/ca-certificates/ipa-ca.crt> for integration with
If multiple certificates exist in FreeIPA's trust store, they will all
be written to this file.
This prevents OpenSSL clients from trusting *any* certificate within the
# openssl rehash /etc/ssl/certs
rehash: warning: skipping ipa-ca.pem,it does not contain exactly one certificate or CRL
ca-certificates does not document whether it intends to cope with such
an input file.
If not then it should print a warning when update-ca-certificates is
run, and ignore the input file entirely (to prevent inconsistency with
whether a CA is trusted depending on whether the client uses the jumbo
/etc/ssl/certs/ca-certificates.crt file, or whether it uses the OpenSSL
hash symlinks). Assuming this is the case, I filed #924590, which is
Alternatively, ca-certificates could take it upon itself to split an
input file containing more than one certificate into several files
containing one certificate in, say, /var/lib/ca-certificates, and then
symlink _those_ into /etc/ssl/certs rather than the original file; in
which case the freeipa-client bug can be closed without further action.
If you were going to do that then there is an edge case to consider:
FreeIPA let's you have multiple certificates for the same authority
(i.e., Subject DN) within the trust store. This happens if, for
instance, a CA's certificate was re-issued to extend its validity
period. This will cause collisions when 'openssl rehash' hashes the CAs
Subject DN in order to create its symlinks. update-ca-certificates would
have to notice this collision, and correctly choose the certificate with
the latest notAfter date && with a notBefore date in the past? the exact
logic is up for debate).
I've marked this bug as blocking the freeipa-client bug because the
decision of whether multiple certificates within a single file
determines whether changes have to be made in freeipa-client or not.
I'm happy to send a patch implementing either behaviour, if you can tell
me which one you want.