The "canonical", up-to-date Cert Authority bundle currently provides 155 Root certificates. We are grabbing the Mozilla 'certdata.txt', using the 'certdata2pem.py' script from Red Hat to split that into PEM files, and removing anything that is untrusted (i.e. with anything in the distrust= field), or doesn't explicitly list serverAuth in the openssl-trust field. The result lines up with the linked curl bundle above.
- Remove old .crt files:
rm *.crt
- Download new certdata:
perl mk-ca-bundle.pl
- Split into PEM files:
python certdata2pem.py
- Remove ca-bundle.crt:
rm ca-bundle.crt
- Remove .p11-kit files:
rm *.p11-kit
- Remove anything that is untrusted (i.e. with anything in the distrust field)
or that doesn't explicitly list serverAuth in the openssl-trust field:
./remove_unwanted_files.sh
- Tag the puppet-ca-bundle project with the next version number
- Update the
configs/components/puppet-ca-bundle.json
file in puppet-runtime with the new version - An automatic tagging job will tag puppet-runtime and kickoff build pipelines
(c) 2016 Puppet Labs