Certificate Authorities: curl-ca-bundle, certsync, keychain

[Landon Fuller]

Howdy,

Over the weekend I whipped up (and added a port for) 'certsync'; it's a small tool that fetches all trusted certificates from the Mac OS X system keychain, and then spits them out as OpenSSL-readable pem-encode certificate bundle.

The goal was to provide a replacement for curl-ca-bundle with the following benefits:
	- Uses the CAs Apple provides -- that way MacPorts doesn't have to be in the business of distributing CA certificates.
	- Also includes any custom CAs that the user has added. This is the case for many people who use internal CAs to sign certificates for their corporate (or personal) services.
	- Automatically updates (if the launchd item is loaded) when the System Keychain(s) or trust settings are modified. 

There are a few gotchas that I could use input on, however:
	- curl-ca-bundle currently lays claim to ${prefix}/etc/openssl/cacerts.pem. This conflicts with certsync, and there's no way to have both installed at the same time.
	- A small number of ports directly depend on curl-ca-bundle to ensure that valid CA certificates are available.
	- certsync can only keep the cert.pem file up-to-date if the launchd item is enabled. Ideally that would be done by default, but that's not currently supported.

Any thoughts on how to proceed?

I'm currently using certsync locally; to install, you'll have to:
	sudo port -f deactivate curl-ca-bundle
	sudo port install certsync

-landonf