[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: root certificate
From: |
Mark H Weaver |
Subject: |
Re: root certificate |
Date: |
Wed, 13 Jun 2018 17:25:56 -0400 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) |
Hi Divan,
Divan Santana <address@hidden> writes:
> How does one import a root certificate for GuixSD?
>
> I didn't see it in the manual.
You didn't see it because we don't yet have a polished way to do this,
unfortunately. The good news is that we've already laid the groundwork
for supporting local certificate stores.
Our 'le-certs' package in gnu/packages/certs.scm is a good template for
making custom certificate packages, and can be easily adapted to your
needs.
For now, you could simply make a copy of the 'le-certs' package, but
with a different package name and different certificate inputs.
Something like this (untested):
--8<---------------cut here---------------start------------->8---
(define-public my-root-cert
(package
(name "my-root-cert")
(version "0")
(source #f)
(build-system trivial-build-system)
(arguments
'(#:modules ((guix build utils))
#:builder
(begin
(use-modules (guix build utils))
(let ((root (assoc-ref %build-inputs "my-root-cert.pem"))
(out (string-append (assoc-ref %outputs "out") "/etc/ssl/certs"))
(openssl (assoc-ref %build-inputs "openssl"))
(perl (assoc-ref %build-inputs "perl")))
(mkdir-p out)
(copy-file cert (string-append out "/" (strip-store-file-name cert)))
;; Create hash symlinks suitable for OpenSSL ('SSL_CERT_DIR' and
;; similar.)
(chdir (string-append %output "/etc/ssl/certs"))
(invoke (string-append perl "/bin/perl")
(string-append openssl "/bin/c_rehash")
".")))))
(native-inputs
`(("openssl" ,openssl)
("perl" ,perl))) ;for 'c_rehash'
(inputs
`(("my-root-cert.pem"
,(origin
(method url-fetch)
(uri "https://example.com/certs/my-root-cert.pem")
(sha256
(base32
"eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee"))))))
(home-page "https://example.com/certs/my-root-cert.pem")
(synopsis "My self-signed root certificate")
(description "This package provides my self-signed root certificate.")
(license license:public-domain)))
--8<---------------cut here---------------end--------------->8---
and then you would need to add this package to the 'packages' field of
your OS configuration, and reconfigure your system.
However, it would be good to provide a way to more easily create custom
certificate packages from a set of .pem files, perhaps by changing the
above package definition into a procedure that accepts a list of root
certificates and dynamically creates a certificate package. If you'd
like to work on this, I'd be glad to discuss it further.
Regards,
Mark
- root certificate, Divan Santana, 2018/06/11
- Re: root certificate,
Mark H Weaver <=