[Mono-dev] Sync of mono Cert Store

Alexander Köplinger alkpli at microsoft.com
Thu Jul 13 23:18:35 UTC 2017


When Mono is installed from our packages (specifically the ca-certificates-mono package*), we're adding a hook into /etc/ca-certificates/update.d/ which runs cert-sync automatically whenever the system certificates are updated by the update-ca-certificates command.
This is the same approach that Java is taking as far as I know, so it should "just work" out of the box :)

I guess you could do something similar for your bundled Mono.

- Alex

* at least that's how it works on Debian et.al., I'm not really familiar with how we're doing it on RPM distros

On 14 Jul 2017, at 00:13, Rick Tillery <rtillerywork at gmail.com<mailto:rtillerywork at gmail.com>> wrote:

Thanks, Dave. Yes, that's how our install syncs in the first place.

The thing is that customers would need to know to run this on their machines in addition to modifying the system cert store.  (Plus, it's a bit more complicated & nonstandard because we have a bundled mono, while they're may not even be any system mono installed.)

I'm willing to create a method to automatically update the mono cert store when the system cert store changes, but I want to understand whether there is a different expectation about how cert updates are done & if there are issues to consider with such a tool.

Rick

On Jul 13, 2017 5:04 PM, "David Curylo" <curylod at asme.org<mailto:curylod at asme.org>> wrote:
Rick,

You can run `cert-sync` at any time to synchronize new certs with your mono cert store.

-Dave

> On Jul 13, 2017, at 6:01 PM, Rick Tillery <rtillerywork at gmail.com<mailto:rtillerywork at gmail.com>> wrote:
>
> As a follow-up my previous question (thanks Alex), we have a concern about changes to the system certificate store & synchronization with the mono cert store.
>
> I see that the system cert store is imported to mono on install (& we now do this as well in our install), but what is the expected approach to keeping the mono cert store updated? For example, if a certificate needs to be added or revoked, is it expected that the admin knows that the mono cert store needs to be manually updated too (and doesn't Java have a separate cert store too, meaning that must be manually dealt with as well?)?
>
> (I didn't find there proper search terms with Google to show me much about this.)
>
> Is there a reason not to create a method of syncing these, so changes to the system cert store automatically get copied into the mono cert store? Is there an accepted (safe) method of doing this?
>
> Rick
> _______________________________________________
> Mono-devel-list mailing list
> Mono-devel-list at lists.dot.net<mailto:Mono-devel-list at lists.dot.net>
> http://lists.dot.net/mailman/listinfo/mono-devel-list<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.dot.net%2Fmailman%2Flistinfo%2Fmono-devel-list&data=02%7C01%7Calkpli%40microsoft.com%7Ce25377d6f7f04f432e3708d4ca3c667a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636355808162250712&sdata=pT9S5%2FDYxUHMMbfUOv1UX%2BzuIxHYt8JRNdyMTDtQZTM%3D&reserved=0>


_______________________________________________
Mono-devel-list mailing list
Mono-devel-list at lists.dot.net<mailto:Mono-devel-list at lists.dot.net>
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.dot.net%2Fmailman%2Flistinfo%2Fmono-devel-list&data=02%7C01%7Calkpli%40microsoft.com%7Ce25377d6f7f04f432e3708d4ca3c667a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636355808162250712&sdata=pT9S5%2FDYxUHMMbfUOv1UX%2BzuIxHYt8JRNdyMTDtQZTM%3D&reserved=0

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dot.net/pipermail/mono-devel-list/attachments/20170713/088dacd7/attachment.html>


More information about the Mono-devel-list mailing list