Shared System Certificates
Currently Tools like NSS (Mozilla products like Firefox/Thunderbird), GnuTLS, OpenSSL and Java on a Fedora box ship their own public key certificates and their own trust relationships. This means if an administrator wants to add/modify/delete trust to certain Certificates, he might have to modify several different stores in order to get the correct security.
A new feature in Fedora 19 is a system wide trust store of static data to be used by crypto toolkits as input for certificate trust decisions.
This feature the tools listed above a default source for retrieving system certificate anchors and black list information. Fedora 19 will be the first step toward development of a comprehensive solution.
Look at the feature for more information on the changes, but the following two sections explain the key benefits to this feature and how users will use it.
Benefit to Fedora
The goal is to empower administrators to configure additional trusted CAs, or to override the trust settings of CAs, on a system wide level, as required by local system environments or corporate deployments. Although this is theoretically possible today, it's extremely hard to get right.
Fedora will immediately gain a unified approach to system anchor certificates and black lists. This is then built on in the future to be a comprehensive solution.
Administrators will be able to use a tool to add a certificate authority file to the system trust store and have it recognized by all relevant applications.
Users will stop being surprised by incoherent and unpredictable trust decisions when using different applications with websites/services which require custom trust policy.