TLS Certificate Validation on Linux
11 points by jummo
11 points by jummo
Yeah, the OpenSSL certificate store is irritatingly not used by all Linux software as the root of trust.
There’s an additional complication that there’s basically no infrastructure for certificate revocation checking, only limited implementations confined within browsers.
I’m watching the upki project which aims to provide a more full-featured certificate trust infrastructure library. They are interested in making revocation checking a normal thing that TLS clients do, but I hope if upki is successful (ie, if most apps end up using upki, or at least upki’s data) it should also make it easier to add private CA certs in one place.