branches: 1.3.2;
certctl(8): Install certs.conf in /usr/share/examples too.

This way postinstall(8) can refer to the default one when you've done
an upgrade without etcupdate or similar to pull in new config files
from etc.tgz.

Not great -- we should do this systematically for all config files in
/etc, but this one-off hack is less risky for 10.

certctl(8): Set certs.conf 644 and add it to etc/mtree/special.

certctl(8): New tool for managing OpenSSL CA certificates.

Same command-line syntax as FreeBSD, clearer semantics about which
parts are config and which parts are cache.

certctl(8): Reword various things in an attempt to clarify.

Suggest /etc/openssl/certs.local in the example config file. Maybe
we can/should formalize this but let's just start with a suggestion.

XXX pullup-10

branches: 1.2.2;
certctl(8): Minor man page clarifications.

- Specify exactly what /etc/openssl/certs gets populated with.
- Change HTTPS to TLS.
- Specify the permitted character class in certs.conf.
(Maybe more conservative than strictly needed; but let's stay on
the safe side.)

certctl(8): New tool for managing OpenSSL CA certificates.

Same command-line syntax as FreeBSD, clearer semantics about which
parts are config and which parts are cache.

certctl(8): Pacify formal POSIX sh syntax.

According to POSIX 2018, the syntax between `then' and `elif' and
`fi' must be a _non-empty_ list of commands:

compound_list : linebreak term
| linebreak term separator
;
...
if_clause : If compound_list Then compound_list else_part Fi
| If compound_list Then compound_list Fi
;
else_part : Elif compound_list Then compound_list
| Elif compound_list Then compound_list else_part
| Else compound_list
;

https://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_10_02

NetBSD's sh(1) currently doesn't enforce this and allows an empty
sequence of commands, but let's not rely on that nonstandard quirk.

Noted in PR 57997.

certctl(8): Avoid basename(1).

Saves some time running subprocesses. Since this is only used for
non-directories (i.e., there's never trailing / on the inputs), it
suffices to delete the longest prefix matching glob `*/' with shell
parameter expansion -- much cheaper than spawning a subprocess.

Shaves off about 1/3 of the time spent in `certctl list' on an
aarch64 VM in qemu.

PR bin/57993

certctl(8): Fix permissions on ca-certificates.crt bundle: 0644.

While here, write it atomically: write to .tmp first, then rename
when done; this way applications never see a partially-written bundle
at /etc/openssl/certs/ca-certificates.crt.

branches: 1.4.2;
certctl(8): Fix some bugs with evil pathnames.

certctl(8): Avoid clobbering prepopulated /etc/openssl/certs.

Also avoid clobbering some other edge cases like symlinks or
non-directories there.

This way, we have the following transitions on system updates:

- If /etc/openssl/certs is empty (as in default NetBSD<10 installs):
quietly populated on rehash.

- If /etc/openssl/certs is nonempty (you've added things to it,
e.g. by hand or with mozilla-rootcerts) and has never been managed
by certctl(8): left alone on rehash, with an error message to
explain what you need to do.

- If /etc/openssl/certs has been managed by certctl(8): quietly
updated on rehash.

Note: This means current installations made since certctl(8) was
added will be treated like /etc/openssl/certs is nonempty and has
never been managed by certctl(8). To work around this, you can just
delete /etc/openssl/certs and rerun `certctl rehash'.

certctl(8): Exit nonzero on missing certs.conf.

certctl(8): New tool for managing OpenSSL CA certificates.

Same command-line syntax as FreeBSD, clearer semantics about which
parts are config and which parts are cache.

branches: 1.1.2;
certctl(8): New tool for managing OpenSSL CA certificates.

Same command-line syntax as FreeBSD, clearer semantics about which
parts are config and which parts are cache.