* update ca-certificates to 20240618-1

2024-07-25 20:31:31 +02:00 · 2024-07-25 20:31:31 +02:00 · 8540caf2ad
commit 8540caf2ad
parent be41cef9f3
5 changed files with 298 additions and 105 deletions
--- a/ca-certificates/.SRCINFO
+++ b/ca-certificates/.SRCINFO
@ -0,0 +1,46 @@
 pkgbase = ca-certificates
 	pkgdesc = Common CA certificates
 	pkgver = 20240618
 	pkgrel = 1
 	url = https://src.fedoraproject.org/rpms/ca-certificates
 	arch = any
 	license = GPL-2.0-or-later
 	makedepends = asciidoc
 	makedepends = p11-kit
 	source = 40-update-ca-trust.hook
 	source = README.etc
 	source = README.etcssl
 	source = README.extr
 	source = README.java
 	source = README.src
 	source = README.usr
 	source = update-ca-trust
 	source = update-ca-trust.8.txt
 	b2sums = 82e3d728267d931dd8613f5e4944995fb1909dffdd61bce17c5c8aa0e8d14201d249cb25899ac631e6a44a6d2acc02e62bd17692fd7fd27e3c8fb9a7648c6004
 	b2sums = 0de3d4ce83f00f95ea7b94f497403b4dc7ff5d0de33bdc76abe3bdd02280d6dc494c7ca4334cfdc5b91ab3fb0022c69f6809eca67d12e77048aa7f70252d479c
 	b2sums = a43766c7e451b3053abee99f8c9c526d984e20c1e60f1ef6e685805bbca46afa2725c7768a16ac5464778132fb13b43e59b2145ea89e4d2058f68cd2bf0abb1a
 	b2sums = ead530282525ea699fcb814fe9fcfe7f47d44febef40703dd65372fd6e583c347f07135efe5244b1d9c400b235dc43a3f7b27abb4c87ef5faa61da6c6d744ebf
 	b2sums = 9fdd34c3f99a01a0d12bb48595114def7685841f81871f5dbf56c433e19bb3acb733e108e6463b48425cd4b74a41ee961c927b24c2dce65f26a37baae5ed9eb9
 	b2sums = 1fbefe367f9e59e7bc5886d07b7da8bd918c8b77ab0d2026813dad965294d2bb3fd4698d6b22e728d890044b98c0015e7328c050c5d96d0e7d2a3a1ae3f16362
 	b2sums = 57e5f6485cde17139e3d1649bd05e1f1b7e260ec58137d41e91ac938bc728bed8ee72eacd0d03f1ccb8cd9e2a23df0df1b2f5fd46694530e1cb49325b05d68fd
 	b2sums = 31a8539ffb9fc2cdc840a079f8e5a8d5c0b45b36db33a835a2c5784d4151e33f6b5c36c44ff809932cc8ba130015a768f94e73a26f694a48a91cd82b540a7bbd
 	b2sums = 08a77b118db14f520a9a3fa8ee257eaa03fded9d7267e29836f1d5eeb65b2c875ec081eddc3e71473dd4ea50a0a43346c5a60a89362b02bab601d0e78331c7f8
 pkgname = ca-certificates-utils
 	pkgdesc = Common CA certificates (utilities)
 	install = ca-certificates-utils.install
 	depends = bash
 	depends = coreutils
 	depends = findutils
 	depends = p11-kit
 	provides = ca-certificates
 	provides = ca-certificates-java
 	conflicts = ca-certificates-java
 	replaces = ca-certificates-java
 pkgname = ca-certificates
 	pkgdesc = Common CA certificates - default providers
 	license = CC0-1.0
 	depends = ca-certificates-mozilla
 	conflicts = ca-certificates-cacert<=20140824-4
 	replaces = 
--- a/ca-certificates/PKGBUILD
+++ b/ca-certificates/PKGBUILD
@ -3,25 +3,35 @@
 # Contributor: Pierre Schmitz <pierre@archlinux.de>
 pkgbase=ca-certificates
-pkgname=(ca-certificates-utils ca-certificates)
+pkgname=(
-pkgver=20220905
+  ca-certificates-utils
  ca-certificates
 )
 pkgver=20240618
 pkgrel=1
 pkgdesc="Common CA certificates"
 url="https://src.fedoraproject.org/rpms/ca-certificates"
 arch=(any)
-license=(GPL)
+license=(GPL-2.0-or-later)
-makedepends=(asciidoc p11-kit)
+makedepends=(
-source=(update-ca-trust update-ca-trust.8.txt 40-update-ca-trust.hook
+  asciidoc
-        README.{etc,etcssl,extr,java,src,usr})
+  p11-kit
-sha256sums=('ba98e00f80f94e2648b66252119d1b0da2339b8c83860cd69738e5c4e2d0fcc3'
+)
-            '7123fcc59bcf50dac66606c8d1b2669106e88579375f98b12e8ae06d96eb7763'
+source=(
-            '3a3833ebd6f9cdef2e534a273653f973a4354d4f9368577d0d73236b014b7748'
+  40-update-ca-trust.hook
-            'e14e00e2e862ac0da3fc77c265e58ee3dcc9c776280639323b8ee804c9d0f69a'
+  README.{etc,etcssl,extr,java,src,usr}
-            'c94462e3addd6328d3fda77436bfb9d39099dd9dbfb6bafd5941d743cb0aaf10'
+  update-ca-trust
-            'badc9c0ec9324dae0889b8f5a5c70f14416507234b9cafcb84ecb99a2b67fc78'
+  update-ca-trust.8.txt
-            '5300660244bb621cbbb7fd3646bd33f7a5fad6801580593d8d5b3cf6fa9a158d'
+)
-            'eba594055ad00cb0b73fc2b0eb8aa4845e5cb4eb42aac88e5f1429213b9e301f'
+b2sums=('82e3d728267d931dd8613f5e4944995fb1909dffdd61bce17c5c8aa0e8d14201d249cb25899ac631e6a44a6d2acc02e62bd17692fd7fd27e3c8fb9a7648c6004'
-            '3493832f17595d6d5a6711e5b188ef36f040e0caec7e0f3303623550ed6943cc')
+        '0de3d4ce83f00f95ea7b94f497403b4dc7ff5d0de33bdc76abe3bdd02280d6dc494c7ca4334cfdc5b91ab3fb0022c69f6809eca67d12e77048aa7f70252d479c'
        'a43766c7e451b3053abee99f8c9c526d984e20c1e60f1ef6e685805bbca46afa2725c7768a16ac5464778132fb13b43e59b2145ea89e4d2058f68cd2bf0abb1a'
        'ead530282525ea699fcb814fe9fcfe7f47d44febef40703dd65372fd6e583c347f07135efe5244b1d9c400b235dc43a3f7b27abb4c87ef5faa61da6c6d744ebf'
        '9fdd34c3f99a01a0d12bb48595114def7685841f81871f5dbf56c433e19bb3acb733e108e6463b48425cd4b74a41ee961c927b24c2dce65f26a37baae5ed9eb9'
        '1fbefe367f9e59e7bc5886d07b7da8bd918c8b77ab0d2026813dad965294d2bb3fd4698d6b22e728d890044b98c0015e7328c050c5d96d0e7d2a3a1ae3f16362'
        '57e5f6485cde17139e3d1649bd05e1f1b7e260ec58137d41e91ac938bc728bed8ee72eacd0d03f1ccb8cd9e2a23df0df1b2f5fd46694530e1cb49325b05d68fd'
        '31a8539ffb9fc2cdc840a079f8e5a8d5c0b45b36db33a835a2c5784d4151e33f6b5c36c44ff809932cc8ba130015a768f94e73a26f694a48a91cd82b540a7bbd'
        '08a77b118db14f520a9a3fa8ee257eaa03fded9d7267e29836f1d5eeb65b2c875ec081eddc3e71473dd4ea50a0a43346c5a60a89362b02bab601d0e78331c7f8')
 build() {
  a2x -v -f manpage update-ca-trust.8.txt
@ -29,8 +39,16 @@ build() {
 package_ca-certificates-utils() {
  pkgdesc+=" (utilities)"
-  depends=(bash coreutils findutils 'p11-kit>=0.24.0')
+  depends=(
-  provides=(ca-certificates ca-certificates-java)
+    bash
    coreutils
    findutils
    p11-kit
  )
  provides=(
    ca-certificates
    ca-certificates-java
  )
  conflicts=(ca-certificates-java)
  replaces=(ca-certificates-java)
  install=ca-certificates-utils.install
@ -39,32 +57,43 @@ package_ca-certificates-utils() {
  install -Dt "$pkgdir/usr/share/man/man8" -m644 update-ca-trust.8
  install -Dt "$pkgdir/usr/share/libalpm/hooks" -m644 *.hook
  local etcdir="$pkgdir/etc/$pkgbase"
  local ssldir="$pkgdir/etc/ssl"
  local usrdir="$pkgdir/usr/share/$pkgbase"
  # Trust source directories
-  install -Dm644 README.etc "$pkgdir/etc/$pkgbase/README"
+  install -Dm644 README.etc "$etcdir/README"
-  install -Dm644 README.src "$pkgdir/etc/$pkgbase/trust-source/README"
+  install -Dm644 README.src "$etcdir/trust-source/README"
-  install -Dm644 README.usr "$pkgdir/usr/share/$pkgbase/trust-source/README"
+  install -Dm644 README.usr "$usrdir/trust-source/README"
-  install -d "$pkgdir"/{etc,usr/share}/$pkgbase/trust-source/{anchors,blocklist}
+  install -d {"$etcdir","$usrdir"}/trust-source/{anchors,blocklist}
  # Directories used by update-ca-trust (aka "trust extract-compat")
-  install -Dm644 README.etcssl "$pkgdir/etc/ssl/README"
+  install -Dm644 README.etcssl "$ssldir/README"
-  install -Dm644 README.java   "$pkgdir/etc/ssl/certs/java/README"
+  install -Dm644 README.java   "$ssldir/certs/java/README"
-  install -Dm644 README.extr   "$pkgdir/etc/$pkgbase/extracted/README"
+  install -Dm644 README.extr   "$etcdir/extracted/README"
  # Compatibility link for OpenSSL using /etc/ssl as CAdir
  # Used in preference to the individual links in /etc/ssl/certs
-  ln -sr "$pkgdir/etc/$pkgbase/extracted/tls-ca-bundle.pem" "$pkgdir/etc/ssl/cert.pem"
+  ln -sr "$etcdir/extracted/tls-ca-bundle.pem" "$ssldir/cert.pem"
  # Compatibility link for legacy bundle (Debian)
-  ln -sr "$pkgdir/etc/$pkgbase/extracted/tls-ca-bundle.pem" "$pkgdir/etc/ssl/certs/ca-certificates.crt"
+  ln -sr "$etcdir/extracted/tls-ca-bundle.pem" "$ssldir/certs/ca-certificates.crt"
  # Compatibility link for legacy bundle (RHEL/Fedora)
-  ln -sr "$pkgdir/etc/$pkgbase/extracted/tls-ca-bundle.pem" "$pkgdir/etc/ssl/certs/ca-bundle.crt"
+  ln -sr "$etcdir/extracted/tls-ca-bundle.pem" "$ssldir/certs/ca-bundle.crt"
  # FIXME: Make "$ssldir/certs/java/cacerts" a packaged symlink, too
 }
 package_ca-certificates() {
-  pkgdesc+=" (default providers)"
+  pkgdesc+=" - default providers"
-  depends=(ca-certificates-mozilla)
+  license=(CC0-1.0)
-  conflicts=('ca-certificates-cacert<=20140824-4')
+  depends=(
    ca-certificates-mozilla
  )
  conflicts=(
    'ca-certificates-cacert<=20140824-4'
  )
  replaces=("${conflicts[@]}")
 }
--- a/ca-certificates/README.extr
+++ b/ca-certificates/README.extr
@ -7,20 +7,42 @@ The files are as follows:
  - ca-bundle.trust.crt:
-    This file is in the BEGIN/END TRUSTED CERTIFICATE file format, 
+    Contains CA certificates in the BEGIN/END TRUSTED CERTIFICATE file format.
-    as described in the x509(1) manual page.
+
    This is the only file in a format carrying distrust information.
    Distrusted certificates are missing from the other files.
  - email-ca-bundle.pem:
    Contains CA certificates trusted for E-Mail protection in the
    BEGIN/END CERTIFICATE file format.
  - objsign-ca-bundle.pem:
    Contains CA certificates trusted for code signing in the
    BEGIN/END CERTIFICATE file format.
  - tls-ca-bundle.pem:
    Contains CA certificates trusted for TLS server authentication in the
    BEGIN/END CERTIFICATE file format.
  - cadir/:
    Directory containing individual certificates trusted for TLS server
    authentication in the BEGIN/END CERTIFICATE file format.
    Also includes the necessary hash symlinks expected by OpenSSL.
  - edk2-cacerts.bin:
-    This file is in the EDK2 (EFI Development Kit II) file format.
+    Contains CA certificates trusted for TLS server authentication in the
    EDK2 (EFI Development Kit II) file format.
-  - email-ca-bundle.pem, objsign-ca-bundle.pem, tls-ca-bundle.pem:
+  - java-cacerts.jks:
-    All files are in the BEGIN/END CERTIFICATE file format, 
+    Contains CA certificates trusted for TLS server authentication in the
-    as described in the x509(1) manual page.
+    Java KeyStore file format.
    Distrust information cannot be represented in this file format,
    and distrusted certificates are missing from these files.
 If your application isn't able to load the PKCS#11 module p11-kit-trust.so,
 then you can use these files in your application to load a list of global
--- a/ca-certificates/update-ca-trust
+++ b/ca-certificates/update-ca-trust
@ -1,7 +1,8 @@
 #!/bin/bash
-# At this time, while this script is trivial, we ignore any parameters given.
+set -eu
-# However, for backwards compatibility reasons, future versions of this script must
+
 # For backwards compatibility reasons, future versions of this script must
 # support the syntax "update-ca-trust extract" trigger the generation of output
 # files in $DEST.
@ -10,33 +11,114 @@ DEST=/etc/ca-certificates/extracted
 # Prevent p11-kit from reading user configuration files.
 export P11_KIT_NO_USER_CONFIG=1
-extract() {
+usage() {
-  trust extract --overwrite "$@"
+  fold -s -w 79 >&2 <<EOF
 Usage: $0 [extract] [-o DIR|--output=DIR]
 Update the system trust store in $DEST.
 COMMANDS
  (absent/empty command): Same as the extract command described below.
  extract: Instruct update-ca-trust to scan the source configuration in
  /usr/share/ca-certificates/trust-source and /etc/ca-certificates/trust-source
  and produce updated versions of the consolidated configuration files stored
  below the $DEST directory hierarchy.
 EXTRACT OPTIONS
  -o DIR, --output=DIR: Write the extracted trust store into the given
                        directory instead of updating
                        $DEST.
 EOF
 }
-## Simple PEM bundles
+extract() {
-extract --comment --format=pem-bundle --filter=ca-anchors --purpose=server-auth  $DEST/tls-ca-bundle.pem
+  local dest="$DEST" f=
 extract --comment --format=pem-bundle --filter=ca-anchors --purpose=email        $DEST/email-ca-bundle.pem
 extract --comment --format=pem-bundle --filter=ca-anchors --purpose=code-signing $DEST/objsign-ca-bundle.pem
-## OpenSSL PEM bundle that includes trust flags
+  # can't use getopt here. ca-certificates can't depend on a lot
-extract --comment --format=openssl-bundle --filter=certificates $DEST/ca-bundle.trust.crt
+  # of other libraries since openssl depends on ca-certificates
  # just fail when we hand parse
-## TianoCore EDK II bundle
+  while (( $# != 0 )); do
-extract --format=edk2-cacerts --filter=ca-anchors --purpose=server-auth $DEST/edk2-cacerts.bin
+    case "$1" in
      "-o"|"--output")
        dest="$2"
        shift 2
        continue
        ;;
      "--")
        shift
        break
        ;;
      *)
        usage
        exit 1
        ;;
    esac
  done
-## Java bundle
+  mkdir -p "$dest"
 extract --format=java-cacerts --filter=ca-anchors --purpose=server-auth /etc/ssl/certs/java/cacerts
-## OpenSSL-style directory with individual PEM files and hash links
+  # Simple PEM bundles (BEGIN CERTIFICATE)
-# The directory-format extractors remove all files in the target directory, but not directories or files therein
+  trust extract --overwrite --comment --format=pem-bundle --filter=ca-anchors \
-extract --format=pem-directory-hash --filter=ca-anchors --purpose=server-auth $DEST/cadir
+    --purpose=server-auth "$dest/tls-ca-bundle.pem"
  trust extract --overwrite --comment --format=pem-bundle --filter=ca-anchors \
    --purpose=email "$dest/email-ca-bundle.pem"
  trust extract --overwrite --comment --format=pem-bundle --filter=ca-anchors \
    --purpose=code-signing "$dest/objsign-ca-bundle.pem"
-# We don't want to have to remove everything from the certs directory but neither
+  # OpenSSL PEM bundle that includes trust flags (BEGIN TRUSTED CERTIFICATE)
-# do we want to leave stale certs around, so only place symlinks in the real cadir
+  trust extract --overwrite --comment --format=openssl-bundle \
-for f in $DEST/cadir/*; do
+    --filter=certificates "$dest/ca-bundle.trust.crt"
  ln -fsr -t /etc/ssl/certs "$f"
 done
-# Now find and remove all broken symlinks
+  # TianoCore EDK II bundle
-find -L /etc/ssl/certs -maxdepth 1 -type l -delete
+  trust extract --overwrite --format=edk2-cacerts --filter=ca-anchors \
    --purpose=server-auth "$dest/edk2-cacerts.bin"
  # Java KeyStore bundle
  trust extract --overwrite --format=java-cacerts --filter=ca-anchors \
    --purpose=server-auth "$dest/java-cacerts.jks"
  # Hashed directory of simple PEM certs
  # (BEGIN CERTIFICATE, usable as OpenSSL CApath and by GnuTLS)
  trust extract --overwrite --format=pem-directory-hash --filter=ca-anchors \
    --purpose=server-auth "$dest/cadir"
  if [[ $dest == $DEST ]]; then
    # We can't extract directly to /etc/ssl/certs as this would indiscriminately
    # empty the directory, but it contains packaged symlinks and directories.
    # Symlink all files from the extracted cadir
    for f in "$dest"/cadir/*; do
      ln -fsr -t /etc/ssl/certs "$f"
    done
    # Now find and remove all broken symlinks
    find -L /etc/ssl/certs -maxdepth 1 -type l -delete
    ln -fsr "$dest/java-cacerts.jks" /etc/ssl/certs/java/cacerts
  fi
 }
 if (( $# < 1 )); then
    set -- extract
 fi
 case "$1" in
  "extract")
    shift
    extract $@
  ;;
  "--"*|"-"*)
    # First parameter seems to be an option, assume the command is 'extract'
    extract $@
  ;;
  *)
    echo >&2 "Error: Unknown command: $1"
    echo >&2
    usage
    exit 1
  ;;
 esac
 # vim:set sw=2 sts=-1 et:
--- a/ca-certificates/update-ca-trust.8.txt
+++ b/ca-certificates/update-ca-trust.8.txt
@ -27,7 +27,7 @@ certificates and associated trust
 SYNOPSIS
 --------
-*update-ca-trust* ['COMMAND']
+*update-ca-trust* [extract] [-o 'DIR'|--output='DIR']
 DESCRIPTION
@ -36,7 +36,7 @@ update-ca-trust(8) is used to manage a consolidated and dynamic configuration
 feature of Certificate Authority (CA) certificates and associated trust.
 The feature is available for new applications that read the
-consolidated configuration files found in the /etc/ssl/certs or /etc/ca-certificates/extracted directories
+consolidated configuration files found in the /etc/ca-certificates/extracted directory
 or that load the PKCS#11 module p11-kit-trust.so
 Parts of the new feature are also provided in a way to make it useful
@ -52,7 +52,7 @@ for classic configuration files and for the classic NSS trust module named libns
 In order to enable legacy applications, that read the classic files or 
 access the classic module, to make use of the new consolidated and dynamic configuration 
-feature, some classic filenames have been changed to symbolic links.
+feature, the classic filenames have been changed to symbolic links.
 The symbolic links refer to dynamically created and consolidated 
 output stored below the /etc/ca-certificates/extracted directory hierarchy.
@ -143,12 +143,12 @@ Please refer to the x509(1) manual page for the documentation of the
 BEGIN/END CERTIFICATE and BEGIN/END TRUSTED CERTIFICATE file formats.
 Applications that rely on a static file for a list of trusted CAs
-may load one of the files found in the /etc/ssl/certs or /etc/ca-certificates/extracted
+may load one of the files found in the /etc/ca-certificates/extracted
-directories. After modifying any file in the
+directory. After modifying any file in the
 /usr/share/ca-certificates/trust-source/ or /etc/ca-certificates/trust-source/
 directories or in any of their subdirectories, or after adding a file, 
 it is necessary to run the 'update-ca-trust extract' command,
-in order to update the consolidated files in /etc/ssl/certs or /etc/ca-certificates/extracted/ .
+in order to update the consolidated files in /etc/ca-certificates/extracted/ .
 Applications that load the classic PKCS#11 module using filename libnssckbi.so 
 (which has been converted into a symbolic link pointing to the new module)
@ -161,7 +161,7 @@ the dynamically merged set of certificates and trust information stored in the
 [[extractconf]]
 EXTRACTED CONFIGURATION
 -----------------------
-The directories /etc/ssl/certs and /etc/ca-certificates/extracted/ contain generated CA certificate 
+The directory /etc/ca-certificates/extracted/ contains generated CA certificate 
 bundle files which are created and updated, based on the <<sourceconf,SOURCE CONFIGURATION>> 
 by running the 'update-ca-trust extract' command.
@ -169,7 +169,7 @@ If your application isn't able to load the PKCS#11 module p11-kit-trust.so,
 then you can use these files in your application to load a list of global
 root CA certificates.
-Please never manually edit the files stored in these directories,
+Please never manually edit the files stored in this directory,
 because your changes will be lost and the files automatically overwritten,
 each time the 'update-ca-trust extract' command gets executed.
@ -178,22 +178,19 @@ please rather install them in the respective subdirectory below the
 /usr/share/ca-certificates/trust-source/ or /etc/ca-certificates/trust-source/
 directories, as described in the <<sourceconf,SOURCE CONFIGURATION>> section.
-The directory /etc/ssl/certs contains a OpenSSL-cadir-style hash farm.
+The directory /etc/ca-certificates/extracted/ contains 
 Distrust information cannot be represented in this format,
 and distrusted certificates are missing from these files.
 The directory /etc/ssl/certs/java contains 
 a CA certificate bundle in the java keystore file format.
 Distrust information cannot be represented in this file format,
 and distrusted certificates are missing from these files.
-File cacerts contains CA certificates trusted for TLS server authentication.
+File java-cacerts.jks contains CA certificates trusted for TLS server authentication.
-The directory /etc/ca-certificates/extracted contains 
+It also contains 
-a CA certificate bundle file in the extended BEGIN/END TRUSTED CERTIFICATE file format, 
+CA certificate bundle files in the extended BEGIN/END TRUSTED CERTIFICATE file format, 
 as described in the x509(1) manual page.
 File ca-bundle.trust.crt contains the full set of all trusted
 or distrusted certificates, including the associated trust flags.
-It also contains
+
 It also contains 
 CA certificate bundle files in the simple BEGIN/END CERTIFICATE file format, 
 as described in the x509(1) manual page.
 Distrust information cannot be represented in this file format,
@ -204,6 +201,7 @@ File email-ca-bundle.pem contains CA certificates
 trusted for E-Mail protection.
 File objsign-ca-bundle.pem contains CA certificates 
 trusted for code signing.
 It also contains a CA
 certificate bundle ("edk2-cacerts.bin") in the "sequence of
 EFI_SIGNATURE_LISTs" format, defined in the UEFI-2.7 specification,
@ -216,34 +214,46 @@ server authentication.
 COMMANDS
 --------
-(absent/empty command)::
+(absent/empty command)
-    Same as the *extract* command described below. (However, the command may
+~~~~~~~~~~~~~~~~~~~~~~
-    print fewer warnings, as this command is being run during package 
+Same as the *extract* command described below. (However, the command may print
-    installation, where non-fatal status output is undesired.)
+fewer warnings, as this command is being run during rpm package installation,
 where non-fatal status output is undesired.)
-*extract*::
+extract
-    Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and produce 
+~~~~~~~
-    updated versions of the consolidated configuration files stored below
+Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and
-    the /etc/ssl/certs and /etc/ca-certificates/extracted directory hierarchies.
+produce updated versions of the consolidated configuration files stored below
 the /etc/ca-certificates/extracted directory hierarchy.
 EXTRACT OPTIONS
 ^^^^^^^^^^^^^^^
 *-o DIR*, *--output=DIR*::
 	Write the extracted trust store into the given directory instead of
 	updating /etc/ca-certificates/extracted.
 FILES
 -----
 /etc/ssl/certs::
 	Classic directory, files contain individual CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
 	Also includes the necessary hash symlinks expected by OpenSSL.
 	These files are symbolic links that are maintained by the update-ca-trust command.
 /etc/ssl/certs/ca-certificates.crt::
 	Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
 	This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.
 /etc/ssl/cert.pem::
 	Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
 	This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.
-/etc/ssl/java/cacerts::
+/etc/ssl/certs/::
 	Classic directory, contains individual CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
 	Also includes the necessary hash symlinks expected by OpenSSL.
 	The files are symbolic links that refer to the output created by the update-ca-trust command.
 /etc/ssl/certs/ca-bundle.crt::
 	Classic filename for compatibility with RHEL/Fedora, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
 	This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.
 /etc/ssl/certs/ca-certificates.crt::
 	Classic filename for compatibility with Debian, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
 	This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.
 /etc/ssl/certs/java/cacerts::
 	Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the Java keystore file format, without distrust information.
-	This file is consolidated output created by the update-ca-trust command.
+	This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.
 /usr/share/ca-certificates/trust-source::
 	Contains multiple, low priority source configuration files as explained in section <<sourceconf,SOURCE CONFIGURATION>>. Please pay attention to the specific meanings of the respective subdirectories.
@ -256,8 +266,8 @@ FILES
 	which are created using the 'update-ca-trust extract' command. Don't edit files in this directory, because they will be overwritten.
 	See section <<extractconf,EXTRACTED CONFIGURATION>> for additional details.
-/etc/ca-certificates/extracted/tls-ca-bundle.pem::
+/etc/ca-certificates/extracted/ca-bundle.trust.crt::
-	File contains a list of CA certificates trusted for TLS server authentication, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
+	File contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage.
 	This file is consolidated output created by the update-ca-trust command.
 /etc/ca-certificates/extracted/email-ca-bundle.pem::
@ -268,11 +278,11 @@ FILES
 	File contains a list of CA certificates trusted for code signing, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
 	This file is consolidated output created by the update-ca-trust command.
-/etc/ca-certificates/extracted/ca-bundle.trust.crt::
+/etc/ca-certificates/extracted/tls-ca-bundle.pem::
-	File contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage.
+	File contains a list of CA certificates trusted for TLS server authentication, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
 	This file is consolidated output created by the update-ca-trust command.
-/etc/ca-certificates/extracted/cadir::
+/etc/ca-certificates/extracted/cadir/::
 	Contains individual CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
 	Also includes the necessary hash symlinks expected by OpenSSL.
 	These files are maintained by the update-ca-trust command.
@ -281,6 +291,10 @@ FILES
 	File contains a list of CA certificates trusted for TLS server authentication usage, in the UEFI signature database format, without distrust information.
 	This file is consolidated output created by the update-ca-trust command.
 /etc/ca-certificates/extracted/java-cacerts.jks::
 	File contains a list of CA certificates trusted for TLS server authentication usage, in the Java keystore file format, without distrust information.
 	This file is consolidated output created by the update-ca-trust command.
 AUTHOR
 ------
-Written by Kai Engert and Stef Walter.
+Written by Kai Engert and Stef Walter for Fedora. Modified for Arch Linux by Jan Alexander Steffens (heftig).