Merge pull request #1774 from drwetter/ca-update_3.0

Update certificate stores (3.0 branch)
drwetter · Nov 14, 2020 · 0abaa6d · 0abaa6d
2 parents d536c07 + 2f18dcb
commit 0abaa6d
Show file tree

Hide file tree

Showing 7 changed files with 3,308 additions and 2,933 deletions.
diff --git a/etc/Apple.pem b/etc/Apple.pem
diff --git a/etc/Java.pem b/etc/Java.pem
diff --git a/etc/Linux.pem b/etc/Linux.pem
diff --git a/etc/Microsoft.pem b/etc/Microsoft.pem
diff --git a/etc/Mozilla.pem b/etc/Mozilla.pem
diff --git a/etc/README.md b/etc/README.md
@@ -5,7 +5,7 @@ The certificate trust stores were retrieved from
 
 * **Linux:** Copied from an up-to-date Debian Linux machine
 * **Mozilla:** https://curl.haxx.se/docs/caextract.html
-* **Java:** extracted (``keytool -list -rfc -keystore <file> | grep -E -v '^$|^\*\*\*\*\*|^Entry |^Creation |^Alias '``) from a JRE 8 from https://jdk.java.net/ (previously JRE keystore extracted from $JAVA_HOME/jre/lib/security/cacerts using Linux)
+* **Java:** extracted (``keytool -list -rfc -keystore lib/security/cacerts | grep -E -v '^$|^\*\*\*\*\*|^Entry |^Creation |^Alias '``) from a JDK 15 from https://jdk.java.net/. (use dos2unix).
 * **Microsoft:** Following command pulls all certificates from Windows Update services: ``CertUtil -syncWithWU -f -f . `` (see also http://aka.ms/RootCertDownload, https://technet.microsoft.com/en-us/library/dn265983(v=ws.11).aspx#BKMK_CertUtilOptions).
 * **Apple:**
     1. __System:__ from Apple OS X keychain app.  Open Keychain Access utility, i.e.
@@ -14,7 +14,8 @@ The certificate trust stores were retrieved from
   --> "Keychain Access" (2 click). In that window --> "Keychains" --> "System"
   --> "Category" --> "All Items"
   Select all CA certificates except for Developer ID Certification Authority,  "File" --> "Export Items"
-    2. __Internet:__ Pick the latest subdir from https://opensource.apple.com/source/security_certificates/. They are in DER format despite their file extension.
+    2. __Internet:__ Pick the latest subdir (=highest number) from https://opensource.apple.com/source/security_certificates/. They are in DER format despite their file extension. Download them with ``wget --level=1 --cut-dirs=5  --mirror --convert-links --adjust-extension --page-requisites  --no-parent https://opensource.apple.com/source/security_certificates/security_certificates-*/certificates/roots/``
+
 
 Google Chromium uses basically the trust stores above, see https://www.chromium.org/Home/chromium-security/root-ca-policy.
 

diff --git a/etc/ca_hashes.txt b/etc/ca_hashes.txt