From mboxrd@z Thu Jan  1 00:00:00 1970
From: Divan Santana <divan@santanas.co.za>
Subject: Re: root certificate
Date: Tue, 12 Jun 2018 09:10:30 +0200
Message-ID: <87tvq8o4yh.fsf@santanas.co.za>
References: <87y3flo3rc.fsf@santanas.co.za> <878t7ls1hw.fsf@fastmail.com>
	<87vaapdy02.fsf@g1.i-did-not-set--mail-host-address--so-tickle-me>
Mime-Version: 1.0
Content-Type: text/plain
Return-path: <help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:42586)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <divan@santanas.co.za>) id 1fSdwW-0004HO-Rs
	for help-guix@gnu.org; Tue, 12 Jun 2018 03:42:17 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <divan@santanas.co.za>) id 1fSdwT-0008UC-PF
	for help-guix@gnu.org; Tue, 12 Jun 2018 03:42:16 -0400
Received: from outmail148108.authsmtp.net ([62.13.148.108]:46782)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <divan@santanas.co.za>)
	id 1fSdwT-0008TW-FM
	for help-guix@gnu.org; Tue, 12 Jun 2018 03:42:13 -0400
In-reply-to: <87vaapdy02.fsf@g1.i-did-not-set--mail-host-address--so-tickle-me>
List-Id: <help-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/help-guix>,
	<mailto:help-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/help-guix/>
List-Post: <mailto:help-guix@gnu.org>
List-Help: <mailto:help-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/help-guix>,
	<mailto:help-guix-request@gnu.org?subject=subscribe>
Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org
Sender: "Help-Guix" <help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org>
To: myglc2@gmail.com
Cc: help-guix@gnu.org, Joshua Branson <jbranso@fastmail.com>

myglc2@gmail.com writes:

> On 06/11/2018 at 12:59 Joshua Branson writes:
>
>> Divan Santana <divan@santanas.co.za> writes:
>>
>>> Hi Guix :)
>>>
>>> How does one import a root certificate for GuixSD?
>>
>> This probably isn't helpful, but what is a root certificate?
>>
>>>
>>> I didn't see it in the manual.
>>>
>>> (Hopefully I didn't miss it. I need to read up on using info within Emacs
>>> better.)
>>> --
>>> Divan
>
> Hello Divan,
>
> If you want to a bundle of standard CA certificates install "nss-certs".
> It is probably already be installed as a system package since most of
> the example GuixSd configs include it. But I have encountered at least
> one situation where I needed to also install in as a user package,
> e.g. 'guix package -i nss-certs'.
>
> For details please see ...
>
> (guix) Application Setup
>
> ... or ...
>
> https://www.gnu.org/software/guix/manual/guix.html

So in my case, I have a root CA certificate for our organisition and
many internal sites have a certificate issued from this CA.

I want to import this self signed root CA so all sites with certs issued
by this org CA is trusted OS wide.

To do this on Arch one can:

#+begin_src sh
  wget -O /etc/ca-certificates/trust-source/anchors/fnb-ca.pem http://http://fqdn/pub/org-ca.crt
  trust extract-compat
#+end_src

Debian Family
#+begin_src sh
  mkdir /usr/share/ca-certificates/extra
  wget -O /usr/share/ca-certificates/extra/fnb-ca.crt http://http://fqdn/pub/org-ca.crt
  dpkg-reconfigure ca-certificates
#+end_src

I was hoping one could do the above within the system manifest file
config.scm ?

Else perhaps we do:
  wget -O /etc/ca-certificates/trust-source/anchors/fnb-ca.pem http://http://fqdn/pub/org-ca.crt
  trust extract-compat

Doing a command like this would make most of the apps(curl/wget/browser) on the system
trust these sites.
--
Divan