canonical · cjdcordeiro · Jul 11, 2024 · Jun 17, 2024 · Jun 24, 2024 · Jul 5, 2024
diff --git a/slices/ca-certificates.yaml b/slices/ca-certificates.yaml
@@ -5,7 +5,15 @@ essential:
 
 slices:
   data:
+    essential:
+      # This adds the symlink at `etc/ssl/certs.pem` for OpenSSL to look up the
+      # bundled certificate file. See `openssl_data` for details.
+      - openssl_data
     contents:
+      # This bundle of certificates and the config are the results of running
+      # the `update-ca-certificates` script. This script is run by default
+      # by the postinst maintainer script when installed as a deb package.
+      /etc/ca-certificates.conf: {text: FIXME, mutable: true}
       /etc/ssl/certs/ca-certificates.crt: {text: FIXME, mutable: true}
       /usr/share/ca-certificates/mozilla/: {until: mutate}
       /usr/share/ca-certificates/mozilla/*: {until: mutate}
@@ -15,6 +23,29 @@ slices:
         content.read(certs_dir + path) for path in content.list(certs_dir)
       ]
       content.write("/etc/ssl/certs/ca-certificates.crt", "".join(certs))
+      names = [
+        "mozilla/{}".format(name) for name in content.list(certs_dir)
+      ]
+      content.write("/etc/ca-certificates.conf", "\n".join(names))
+
+  # The `_data` slice only provides the bundled certificates and the config file.
+  # To keep the individual certificates, this slice should be included.
+  data-with-certs:
+    essential:
+      - ca-certificates_data
+    contents:
+      /usr/share/ca-certificates/mozilla/*:
+
+  bins:
+    essential:
+      - openssl_bins
+      # The `/usr/sbin/update-ca-certificates` script requires sed to run.
+      - sed_bins
+    contents:
+      # To run update-ca-certificates without breaking the default certificates
+      # at /etc/ssl/certs/ca-certificates.crt, the `_data-with-certs` slice should
+      # also be included. For details, see the `update-ca-certificates` script.
+      /usr/sbin/update-ca-certificates:
 
   copyright:
     contents: