Peer's certificate issuer is unknown while certificates have been added

Daniel Kahn Gillmor dkg at
Fri Sep 21 17:14:29 CEST 2012

On 09/20/2012 05:55 PM, Daniel Kahn Gillmor wrote:
> That said, if you *do* want to add trusted root CAs to a debian-derived
> system that aren't already shipped in the ca-certificates package, you
> probably don't want to tamper with the contents of
> /usr/share/ca-certificates directly.  That part of the filesystem is
> controlled by the ca-certificates package.
> Instead, for any CA that you want to add to a system as the admin, you
> only need to drop a world-readable PEM-encoded file containing the CA's
> certificate into /usr/share/ca-certificates/, and then re-run
> "update-ca-certificates" as the superuser.  This will create links
> properly under /etc/ssl/certs, and will include them in
> /etc/ssl/ca-certificates.crt.

gah -- the above is wrong in a very confusing way, apologies!


is controlled by the ca-certificates package.

But the local system administrator has free reign over:


note the "/local/", which i sloppily left out of my original next.

files in the latter directory are automatically added to the system
default list of trusted root authorities whenever update-ca-certificates
is run.

sorry for adding to the confusion,


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20120921/32a1e0db/attachment.pgp>

More information about the Gnutls-help mailing list