source: postlfs/security/cacerts.xml@ 96e9478

10.0 10.1 11.0 11.1 11.2 11.3 12.0 12.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts lazarus lxqt perl-modules plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition trunk upgradedb xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal
Last change on this file since 96e9478 was 96e9478, checked in by Pierre Labastie <pieere@…>, 7 years ago

role="runtime" in postlfs

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@19237 af4574ff-66df-0310-9fd7-8a98e5e911e0
  • Property mode set to 100644
File size: 10.2 KB
RevLine 
[c9b953e6]1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
[4a16903]7 <!ENTITY certhost "https://hg.mozilla.org/">
8 <!ENTITY certpath "/lib/ckfw/builtins/certdata.txt">
9 <!ENTITY ca-bundle-download "&sources-anduin-http;/other/certdata.txt">
10 <!ENTITY ca-bundle-size "1.6 MB">
[dcad3e9]11 <!ENTITY cacerts-buildsize "6.5 MB (with all runtime deps)">
[4a16903]12 <!ENTITY cacerts-time "0.2 SBU (with all runtime deps)">
13
[e6af89ca]14 <!ENTITY make-ca-download "&sources-anduin-http;/other/make-ca.sh-&make-ca-version;">
[dcad3e9]15 <!ENTITY make-ca-size "24 KB">
[c7ef815]16 <!ENTITY make-ca-md5sum "a21a04d6ff5c4645c748220dbaa9f221">
[c9b953e6]17]>
18
19<sect1 id="cacerts" xreflabel="Certificate Authority Certificates">
20 <?dbhtml filename="cacerts.html"?>
21
22 <sect1info>
23 <othername>$LastChangedBy$</othername>
24 <date>$Date$</date>
25 </sect1info>
26
27 <title>Certificate Authority Certificates</title>
28
[4a16903]29 <para>Public Key Infrastructure (PKI) is a method to validate the
[45db70f]30 authenticity of an otherwise unknown entity across untrusted networks. PKI
[4a16903]31 works by establishing a chain of trust, rather than trusting each individual
32 host or entity explicitly. In order for a certificate presented by a remote
[45db70f]33 entity to be trusted, that certificate must present a complete chain of
[4a16903]34 certificates that can be validated using the root certificate of a
35 Certificate Authority (CA) that is trusted by the local machine.</para>
36
37 <para>Establishing trust with a CA involves validating things like company
38 address, ownership, contact information, etc., and ensuring that the CA has
[da0166b2]39 followed best practices, such as undergoing periodic security audits by
40 independent investigators and maintaining an always available certificate
[4a16903]41 revocation list. This is well outside the scope of BLFS (as it is for most
42 Linux distributions). The certificate store provided here is taken from the
43 Mozilla Foundation, who have established very strict inclusion policies
44 described
45 <ulink url="https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/">here</ulink>.</para>
[c9b953e6]46
[ce63bfd2]47 &lfs81_checked;
[c9b953e6]48
49 <indexterm zone="cacerts">
50 <primary sortas="a-cacerts">Certificate Authority Certificates</primary>
51 </indexterm>
52
53 <sect2 role="package">
54 <title>Introduction to Certificate Authorities</title>
55
56 <bridgehead renderas="sect3">Package Information</bridgehead>
57 <itemizedlist spacing="compact">
58 <listitem>
[30b7db74]59 <para>Download (HTTP): <ulink url="&make-ca-download;"/></para>
[c9b953e6]60 </listitem>
61 <listitem>
[30b7db74]62 <para>Download size: &make-ca-size;</para>
63 </listitem>
64 <listitem>
65 <para>Download MD5 Sum: &make-ca-md5sum;</para>
[c9b953e6]66 </listitem>
67 <listitem>
68 <para>Estimated disk space required: &cacerts-buildsize;</para>
69 </listitem>
70 <listitem>
71 <para>Estimated build time: &cacerts-time;</para>
72 </listitem>
73 </itemizedlist>
74
[4a16903]75
76 <bridgehead renderas="sect3">Additional Downloads</bridgehead>
77 <itemizedlist spacing="compact">
78 <listitem>
79 <para>
80 CA Certificates
81 <ulink url="&ca-bundle-download;"/>
82 </para>
83 </listitem>
84 </itemizedlist>
85
[c9b953e6]86 <bridgehead renderas="sect3">Certificate Authority Certificates Dependencies</bridgehead>
87
88 <bridgehead renderas="sect4">Required</bridgehead>
[4a16903]89 <para role="required"><xref linkend="openssl"/></para>
90
91 <bridgehead renderas="sect4">Optional (runtime)</bridgehead>
92 <para role="optional">
[96e9478]93 <xref role="runtime" linkend="java"/> or
94 <xref role="runtime" linkend="openjdk"/>,
95 <xref role="runtime" linkend="nss"/>, and
96 <xref role="runtime" linkend="p11-kit"/>
97 </para>
[c9b953e6]98
99 <para condition="html" role="usernotes">User Notes:
100 <ulink url='&blfs-wiki;/cacerts'/></para>
101 </sect2>
102
103 <sect2 role="installation">
104 <title>Installation of Certificate Authority Certificates</title>
105
[e6af89ca]106 <para>The <application>make-ca.sh</application> script will process the
[4a16903]107 certificates included in the <filename>certdata.txt</filename> file
108 for use in multiple certificate stores (if the associated applications are
109 present on the system). Additionally, any local certificates stored in
[da0166b2]110 <filename>/etc/ssl/local</filename> will be imported to the certificate
[4a16903]111 stores. Certificates in this directory should be stored as PEM encoded
112 <application>OpenSSL</application> trusted certificates.</para>
113
114 <para>To create an <application>OpenSSL</application> trusted certificate
115 from a regular PEM encoded file, provided by a CA not included in Mozilla's
116 certificate distribution, you need to add trust arguments to the
117 <command>openssl</command> command, and create a new certificate. There are
[c10fe29]118 three trust types that are recognized by the
[4a16903]119 <application>make-ca.sh</application> script, SSL/TLS, S/Mime, and code
[c10fe29]120 signing. For example, using the
121 <ulink url="http://www.cacert.org/">CAcert</ulink> root, if you want it to
122 be trusted for all three roles, the following commands will create an
123 appropriate OpenSSL trusted certificate:</para>
124
125<screen role="root"><userinput>install -vdm755 /etc/ssl/local &amp;&amp;
126wget http://www.cacert.org/certs/root.crt &amp;&amp;
127openssl x509 -in root.crt -text -fingerprint -setalias "CAcert Class 1 root" \
128 -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
129 > /etc/ssl/local/CAcert_Class_1_root.pem</userinput></screen>
130
131 <para>If one of the three trust arguments is omitted, the certificate is
132 neither trusted, nor rejected for that role. Clients that use
133 <application>OpenSSL</application> or <application>NSS</application>
134 encountering this certificate will present a warning to the user. Clients
135 using <application>GnuTLS</application> without
136 <application>p11-kit</application> support are not aware of trusted
[4a16903]137 certificates. To include this CA into the ca-bundle.crt (used for
[45db70f]138 <application>GnuTLS</application>), it must have <envar>serverAuth</envar>
[c10fe29]139 trust. Additionally, to explicitly disallow a certificate for a particular
140 use, replace the <parameter>-addtrust</parameter> flag with the
141 <parameter>-addreject</parameter> flag.</para>
[4a16903]142
143 <para>To install the various certificate stores, first install the
144 <application>make-ca.sh</application> script into the correct location.
145 As the <systemitem class="username">root</systemitem> user:</para>
146
[e6af89ca]147<screen role="root"><userinput>install -vm755 make-ca.sh-&make-ca-version; /usr/sbin/make-ca.sh</userinput></screen>
[4a16903]148
149 <para>As the <systemitem class="username">root</systemitem> user, make sure
[da0166b2]150 that certdata.txt is in the current directory, and update the certificate
[4a16903]151 stores with the following command:</para>
152
[a90ec5a7]153 <note>
154 <para>If running the script a second time with the same version of
155 <filename>certdata.txt</filename>, for instance, to add additional stores
156 as the requisite software is installed, add the <parameter>-f</parameter>
157 switch to the command line. If packaging, run <command>make-ca.sh
158 --help</command> to see all available command line options.</para>
159 </note>
160
[4a16903]161<screen role="root"><userinput>/usr/sbin/make-ca.sh</userinput></screen>
162
163 <para>You should periodically download a copy of
164 <filename>certdata.txt</filename> and run the
165 <application>make-ca.sh</application> script (as the
166 <systemitem class="username">root</systemitem> user), or as part of a
167 monthly <application>cron</application> job to ensure that you have the
168 latest available version of the certificates.</para>
169
170 <para>The <filename>certdata.txt</filename> file provided by BLFS is
171 obtained from the mozilla-release branch, and is modified to provide a
[da0166b2]172 simple dated revision. This will be the correct version for most
[4a16903]173 systems. There are, however, several other variants of the file available
[e6af89ca]174 for use that might be preferred for one reason or another, including the
175 files shipped with Mozilla products in this book. RedHat and OpenSUSE,
176 for instance, use the version included in <xref linkend="nss"/>. Additional
177 upstream downloads are available at the links below.</para>
[4a16903]178
179 <itemizedlist spacing="compact">
180 <listitem>
181 <para>Mozilla Release (the version provided by BLFS):
182 <ulink url="&certhost;releases/mozilla-release/raw-file/default/security/nss&certpath;"/>
183 </para>
184 </listitem>
185 <listitem>
[da0166b2]186 <para>NSS (this is the latest available version):
[a3e625dd]187 <ulink url="&certhost;projects/nss/raw-file/tip&certpath;"/>
[4a16903]188 </para>
189 </listitem>
190 <listitem>
191 <para>Mozilla Central:
192 <ulink url="&certhost;mozilla-central/raw-file/default/security/nss&certpath;"/>
193 </para>
194 </listitem>
195 <listitem>
196 <para>Mozilla Beta:
197 <ulink url="&certhost;releases/mozilla-beta/raw-file/default/security/nss&certpath;"/>
198 </para>
199 </listitem>
200 <listitem>
201 <para>Mozilla Aurora:
202 <ulink url="&certhost;releases/mozilla-aurora/raw-file/default/security/nss&certpath;"/>
203 </para>
204 </listitem>
205 </itemizedlist>
[8b9034a]206
[c9b953e6]207 </sect2>
208
209 <sect2 role="content">
210 <title>Contents</title>
211
212 <segmentedlist>
213 <segtitle>Installed Programs</segtitle>
214 <segtitle>Installed Libraries</segtitle>
215 <segtitle>Installed Directories</segtitle>
216
217 <seglistitem>
[30b7db74]218 <seg>make-ca.sh</seg>
[c9b953e6]219 <seg>None</seg>
[4a16903]220 <seg>/etc/ssl/{certs,java,local} and /etc/pki/{nssdb,anchors}</seg>
[c9b953e6]221 </seglistitem>
222 </segmentedlist>
223
224 <variablelist>
225 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
226 <?dbfo list-presentation="list"?>
227 <?dbhtml list-presentation="table"?>
228
229 <varlistentry id="make-ca">
230 <term><command>make-ca.sh</command></term>
231 <listitem>
[4a16903]232 <para>is a shell script that adapts a current version of
[30b7db74]233 <filename>certdata.txt</filename>, and prepares it for use
234 as the system certificate store.</para>
[c9b953e6]235 <indexterm zone="cacerts make-ca">
236 <primary sortas="b-make-ca">make-ca</primary>
237 </indexterm>
238 </listitem>
239 </varlistentry>
240 </variablelist>
241
242 </sect2>
243</sect1>
Note: See TracBrowser for help on using the repository browser.