$NetBSD: README.pkgsrc,v 1.2 2022/06/12 07:05:30 kim Exp $

This package provides the certificates distributed by the Mozilla
Project and can be used to install the certificates trusted by the
Mozilla Project in the system certificate store, so that they can be
used by third party applications using OpenSSL.

To enable management of the system certificate store and to set its
location, edit the configuration in

    /etc/ca-certificates-dir.conf

To further select which certificates are installed, you can edit the
configuration in

    /etc/ca-certificates.conf

To install local certificate authorities to be implicitly trusted,
place the certificate files in /usr/local/share/ca-certificates/
as single files ending with ".crt".

After changing the configuration and adding local certificates run this
command to install and rehash the certificates:

    # /usr/sbin/update-ca-certificates

After removing local certificates run this command to remove dangling
symlinks from /etc/ssl/certs:

    # /usr/sbin/update-ca-certificates --fresh

The update-ca-certificates tool also creates a single file certificate
bundle in PEM format in /etc/ssl/certs/ca-certificates.crt
which can be used by applications using GnuTLS.

To mark the installed certificates as trusted for users of gnupg2 do
the following (assuming default PKG_SYSCONFBASE and a Bourne shell):

    # mkdir -p /usr/pkg/etc/gnupg
    # cd /usr/pkg/etc/gnupg
    # for c in /etc/ssl/certs/*.pem; do
    > openssl x509 -in $c -noout -fingerprint|sed 's|^.*=\(.*\)|\1 S|'
    > done > trustlist.txt