The "canonical", up-to-date Cert Authority bundle currently provides many root certificates. We grab the Mozilla 'certdata.txt', use the 'certdata2pem.py' script from Red Hat to split that into PEM files, and remove anything that is untrusted (i.e. with anything in the distrust= field), or doesn't explicitly list serverAuth in the openssl-trust field. The result lines up with the linked curl bundle above.
- Run
make refresh-certs
to download new certs, clean out those we do not want, and format them for this repo - Run
make prepare
to create the cert bundle and keystore that will be installed in puppet-runtime builds
- Run
make install
to copy the already prepared PEM and JKS cert bundles and set permissions on the installed files. - On FIPS hosts, run
make install-fips
instead.
- Tag the puppet-ca-bundle project with the next version number
- Update the
configs/components/puppet-ca-bundle.json
file in puppet-runtime with the new version - An automatic tagging job will tag puppet-runtime and kickoff build pipelines