Re: certificate and trust store feature for systemd

On 25 May 2022, at 19:22, SCOTT FIELDS <Scott.Fields@xxxxxxxxxxx> wrote:

If you’re referring to files in /etc/pki, that’s not a management API, like CAPI or CNG provides in Windows (and a like API in OSX).

 

There’s a keychain solution in Gnome (GNOME/Keyring) but not widely adopted that I’ve seen.

 

This just seems a good match to have available within systemd

 

From: Barry Scott <barry@xxxxxxxxxxxxxxxx> 
Sent: Wednesday, May 25, 2022 1:16 PM
To: SCOTT FIELDS <Scott.Fields@xxxxxxxxxxx>
Cc: systemd-devel@xxxxxxxxxxxxxxxxxxxxx
Subject: [EXTERNAL] Re: certificate and trust store feature for systemd

 

On 25 May 2022, at 14:06, SCOTT FIELDS <Scott.Fields@xxxxxxxxxxx> wrote: I apologize for the very general inquiry. Are there any plans to have system natively support its own trust store for items like CAs, x509 certs, passwords &

 

On 25 May 2022, at 14:06, SCOTT FIELDS <Scott.Fields@xxxxxxxxxxx> wrote:

 

I apologize for the very general inquiry.

 

Are there any plans to have system natively support its own trust store for items like CAs, x509 certs, passwords & truststores akin to the keychain in Windows and OS X?

 

But these are solved problems on modern Linux systems aren't they?

 

At least with RHEL and Fedora they have trust store and keychains.

 

I still find the management of PKIs in /etc/pki to be problematic.

 

For my home network I have my own DNS domain and CA setup. It was easy to add the CA to

Fedora's trust store.

 

Having this available as a core service within systemd using like APIs either in (mostly deprecated) CAPI or the new CNG

 

Barry

 

 

Scott Fields

IBM/Kyndryl

SRE – BNSF

817-593-5038 (BNSF)

scott.fields@xxxxxxxxxxx

scott.fields@xxxxxxxx