updating ca-bundle.crt

updating ca-bundle.crt

am 02.02.2005 14:45:01 von Joe Orton

--XsQoSWH+UP9D9v3l
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline

There was some discussion on modssl-users a while back on this topic; we
had some concerns about extracting ca-bundle.crt directly from the
Mozilla CA list sources. But after discussing this with Frank Hecker
and some others there is agreement that there are no licensing issues
here really.

So, attached is a Perl script which regenerates ca-bundle.crt directly
from the Mozilla certdata.txt: Ralf, feel free to include this in
mod_ssl or just update the mod_ssl ca-bundle.crt using it ;)

joe




--XsQoSWH+UP9D9v3l
Content-Type: text/plain; charset=utf-8
Content-Disposition: attachment; filename="mkcabundle.pl"

#!/usr/bin/perl -w
#
# Used to regenerate ca-bundle.crt from the Mozilla certdata.txt.
# Run as ./mkcabundle.pl > ca-bundle.crt
#

my $cvsroot = ':pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot';
my $certdata = 'mozilla/security/nss/lib/ckfw/builtins/certdata.txt';

open(IN, "cvs -d $cvsroot co -p $certdata|")
|| die "could not check out certdata.txt";

my $incert = 0;

print< # This is a bundle of X.509 certificates of public Certificate
# Authorities. It was generated from the Mozilla root CA list.
#
# Source: $certdata
#
EOH

while () {
if (/^CKA_VALUE MULTILINE_OCTAL/) {
$incert = 1;
open(OUT, "|openssl x509 -text -inform DER -fingerprint")
|| die "could not pipe to openssl x509";
} elsif (/^END/ && $incert) {
close(OUT);
$incert = 0;
print "\n\n";
} elsif ($incert) {
my @bs = split(/\\/);
foreach my $b (@bs) {
chomp $b;
printf(OUT "%c", oct($b)) unless $b eq '';
}
} elsif (/^CVS_ID.*Revision: ([^ ]*).*/) {
print "# Generated from certdata.txt RCS revision $1\n#\n";
}
}

--XsQoSWH+UP9D9v3l--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: updating ca-bundle.crt

am 06.07.2005 10:27:43 von rse

On Wed, Feb 02, 2005, Joe Orton wrote:

> There was some discussion on modssl-users a while back on this topic; we
> had some concerns about extracting ca-bundle.crt directly from the
> Mozilla CA list sources. But after discussing this with Frank Hecker
> and some others there is agreement that there are no licensing issues
> here really.
>
> So, attached is a Perl script which regenerates ca-bundle.crt directly
> from the Mozilla certdata.txt: Ralf, feel free to include this in
> mod_ssl or just update the mod_ssl ca-bundle.crt using it ;)

Thanks, Joe. I'll include this script into mod_ssl 2.8.23 together
with its latest output.

Ralf S. Engelschall
rse@engelschall.com
www.engelschall.com

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org