Remove all root CA files (beyond test CAs including private key)
from the OpenSSL distribution.
diff --git a/FAQ b/FAQ
index a028834..524b2ba 100644
--- a/FAQ
+++ b/FAQ
@@ -392,6 +392,7 @@
has however been left as default for the sake of compatibility.
* What is a "128 bit certificate"? Can I create one with OpenSSL?
+* How can I set up a bundle of commercial root CA certificates?
The term "128 bit certificate" is a highly misleading marketing term. It does
*not* refer to the size of the public key in the certificate! A certificate
@@ -447,6 +448,20 @@
name of C.
+* How can I set up a bundle of commercial root CA certificates?
+
+The OpenSSL software is shipped without any root CA certificate as the
+OpenSSL project does not have any policy on including or excluding
+any specific CA and does not intend to set up such a policy. Deciding
+about which CAs to support is up to application developers or
+administrators.
+
+Other projects do have other policies so you can for example extract the CA
+bundle used by Mozilla and/or modssl as described in this article:
+
+ http://www.mail-archive.com/modssl-users@modssl.org/msg16980.html
+
+
[BUILD] =======================================================================
* Why does the linker complain about undefined symbols?
