Mageia forum

[katnatek]

I'm try to make work in Mageia the Spain's digital signature app (for their taxes and other governmental procedures)
As i understand is necessary to add their digital certificate to root/ca-certs
and maybe java root/ca-certs due is a java application.
In debian-like distributions exist the update-ca-certificates

The steps for debian-like is

Code: Select all

openssl x509 -inform der -in /usr/lib/AutoFirma/AutoFirma_ROOT.cer -out /usr/lib/AutoFirma/AutoFirma_ROOT.pem
mv /usr/lib/AutoFirma/AutoFirma_ROOT.pem /usr/lib/AutoFirma/AutoFirma_ROOT.crt
mkdir /usr/share/ca-certificates/AutoFirma/
cp /usr/lib/AutoFirma/AutoFirma_ROOT.crt /usr/share/ca-certificates/AutoFirma/AutoFirma_ROOT.crt
cp /usr/lib/AutoFirma/AutoFirma_ROOT.crt /usr/local/share/ca-certificates/AutoFirma_ROOT.crt
update-ca-certificates

Exists steps to follow in Mageia or i need to make a custom version of mageia's rootcerts package?

I forgot this, i finally find the way of do this in archlinux wiki

[doktor5000]

You are aware that there is a slight difference between adding a root CA and simply adding a CA certificate?
Certificate should be put under /usr/local/share/ca-certificates or /etc/pki/ca-trust/source/anchors
Afterwards you may need to run update-ca-trust
The certificate should end up being added in /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt.

Depending on what the software uses (openssl, gnutls, ... ? ) you might even be fine with simply copying the certificate to /etc/pki/tls/private
If you need to use it with Java you might need to put a symlink to your cert inside /etc/pki/java/cacerts

And FWIW, from your example, added certificates definitely do not belong below /usr/lib/ or /usr/share/ca-certificates.

For some related information you may want to read https://www.happyassassin.net/2015/01/1 ... platforms/ or
https://www.happyassassin.net/2015/01/1 ... scert-pem/

[katnatek]

The application have some questionable ways of make part of their work.
The "configurator" download the certificate and install it for the browser's profiles detected in each user home

Code: Select all

certutil -A -d sql:/home/user/.mozilla/firefox/oboy5cit.default -i /usr/lib/AutoFirma/AutoFirma_ROOT.cer -n "SocketAutoFirma" -t "C,,"

And later covert the cert to pem and install with the code in my first comment

Of course both codes run as root

I try to convert this process to a method that don't have to call the configurator if new user is created and make it compatible with mageia.

Thank you for the links was educative and interesting but is not surprise coming from Adam

[doktor5000]

Well for the certutil command there is not much choice. If you would add it to the system NSS store under /etc/pki/nssdb you would lose that change on each NSS update.
You can try to change that one to

Code: Select all

certutil -A -d /etc/pki/nssdb -i /usr/lib/AutoFirma/AutoFirma_ROOT.cer -n "SocketAutoFirma" -t "C,,"

See also https://access.redhat.com/documentation ... che-nsslib

edit doktor5000: What you could also do, as mentioned by our security guy would be to add the certs to a default NSS database below /usr/lib64/firefox/browser/defaults/profile and hence they would be picked up when creating new firefox profiles.

[katnatek]

@doktor5000: Where i find update-ca-trust?

I search with urpmf and in pkgs.org and not found

[doktor5000]

Did you try without it? I was going by RedHat and also some distro-agnostic documentation and assumed it would be present.

[katnatek]

@doktor5000 when i finish the package i will call to test, i am from México and can't make a complete test.

I will post the results, thank you for the help.

[katnatek]

Mark as solved see the main text