15 certificate files at Git program folder needed?
729 views
Skip to first unread message
Erwin Hamann
Sep 3, 2015, 5:03:54 AM9/3/15
to git-for-windows
Hello,
Im not sure to be right at this forum with my question and suggestion for imrovement concerning git version 2.5.1.windows.1.
Im not sure to be right at this forum with my question and suggestion for imrovement concerning git version 2.5.1.windows.1.
After installing Git from Git-2.5.1-64-bit.exe
I had the task to add a company specific certificate to the one *.crt file used by git for https.
I was surprised to find 15 *.crt files at git installation folder:
I found out the only file to be changed is: http.sslcainfo=C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
So, maybe no issue ... but nonetheless my question: do we realy need 15 crt-files for Git installation?
If not: I would suggest to wipe out the unneeded crt's to make the administration a bit easier.
Thanks in advance
Erwin
I had the task to add a company specific certificate to the one *.crt file used by git for https.
I was surprised to find 15 *.crt files at git installation folder:
- ./etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
- ./etc/pki/ca-trust/source/anchors/CAcert.org_class3.crt
- ./etc/pki/ca-trust/source/anchors/CAcert.org_root.crt
- ./mingw64/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
- ./mingw64/share/pki/ca-trust-source/ca-bundle.neutral-trust.crt
- ./mingw64/share/pki/ca-trust-source/ca-bundle.trust.crt
- ./mingw64/ssl/certs/ca-bundle.crt
- ./mingw64/ssl/certs/ca-bundle.trust.crt
- ./usr/share/pki/ca-trust-source/ca-bundle.legacy.disable.crt
- ./usr/share/pki/ca-trust-source/ca-bundle.legacy.enable.crt
- ./usr/share/pki/ca-trust-source/ca-bundle.neutral-trust.crt
- ./usr/share/pki/ca-trust-source/ca-bundle.trust.crt
- ./usr/share/tabset/stdcrt
- ./usr/ssl/certs/ca-bundle.crt
- ./usr/ssl/certs/ca-bundle.trust.crt
I found out the only file to be changed is: http.sslcainfo=C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
So, maybe no issue ... but nonetheless my question: do we realy need 15 crt-files for Git installation?
If not: I would suggest to wipe out the unneeded crt's to make the administration a bit easier.
Thanks in advance
Erwin
Johannes Schindelin
Sep 3, 2015, 7:04:50 AM9/3/15
to Erwin Hamann, git-for-windows
Hi Erwin,
On 2015-09-02 20:44, Erwin Hamann wrote:
> I was surprised to find 15 *.crt files at git installation folder:
>
> - ./etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
> - ./etc/pki/ca-trust/source/anchors/CAcert.org_class3.crt
> - ./etc/pki/ca-trust/source/anchors/CAcert.org_root.crt
> - ./mingw64/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
> - ./mingw64/share/pki/ca-trust-source/ca-bundle.neutral-trust.crt
> - ./mingw64/share/pki/ca-trust-source/ca-bundle.trust.crt
> - *./mingw64/ssl/certs/ca-bundle.crt *
> - ./mingw64/ssl/certs/ca-bundle.trust.crt
> - ./usr/share/pki/ca-trust-source/ca-bundle.legacy.disable.crt
> - ./usr/share/pki/ca-trust-source/ca-bundle.legacy.enable.crt
> - ./usr/share/pki/ca-trust-source/ca-bundle.neutral-trust.crt
> - ./usr/share/pki/ca-trust-source/ca-bundle.trust.crt
> - ./usr/share/tabset/stdcrt
> - ./usr/ssl/certs/ca-bundle.crt
> - ./usr/ssl/certs/ca-bundle.trust.crt
I *think* that only the /usr/ssl/certs/ca-bundle.crt and
/mingw/ssl/certs/ca-bundle.crt are needed. However, this would require
careful testing and I did not have any time to do that so far.
Ciao,
Johannes
On 2015-09-02 20:44, Erwin Hamann wrote:
> I was surprised to find 15 *.crt files at git installation folder:
>
> - ./etc/pki/ca-trust/source/anchors/CAcert.org_class3.crt
> - ./etc/pki/ca-trust/source/anchors/CAcert.org_root.crt
> - ./mingw64/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
> - ./mingw64/share/pki/ca-trust-source/ca-bundle.neutral-trust.crt
> - ./mingw64/share/pki/ca-trust-source/ca-bundle.trust.crt
> - *./mingw64/ssl/certs/ca-bundle.crt *
> - ./mingw64/ssl/certs/ca-bundle.trust.crt
> - ./usr/share/pki/ca-trust-source/ca-bundle.legacy.disable.crt
> - ./usr/share/pki/ca-trust-source/ca-bundle.legacy.enable.crt
> - ./usr/share/pki/ca-trust-source/ca-bundle.neutral-trust.crt
> - ./usr/share/pki/ca-trust-source/ca-bundle.trust.crt
> - ./usr/share/tabset/stdcrt
> - ./usr/ssl/certs/ca-bundle.crt
> - ./usr/ssl/certs/ca-bundle.trust.crt
I *think* that only the /usr/ssl/certs/ca-bundle.crt and
/mingw/ssl/certs/ca-bundle.crt are needed. However, this would require
careful testing and I did not have any time to do that so far.
Ciao,
Johannes
Erwin Hamann
Sep 4, 2015, 5:05:46 AM9/4/15
to git-for-windows, erwing...@gmail.com
May be, but I've other experiance.
I renamed all *.crt files to *.trc except the one where http.sslcainfo is pointing to (./mingw64/ssl/certs/ca-bundle.crt) and the https communication works fine.
Then I moved ./mingw64/ssl/certs/ca-bundle.crt to several other places and the "SSL certificate problem: ..." occurs as long as the http.sslcainfo variable was not pointing to it.
Each time I correct the value of http.sslcainfo it works very well.
I find the mechanism to set http.sslcainfo to the certificat to be used a much better way then to manipulate one of the given crt files by installation.
As Admin, I like it to use untouched files on an installation :-) except config files.
Ciao Erwin
Reply all
Reply to author
Forward
0 new messages