[c9b953e6] | 1 | <?xml version="1.0" encoding="ISO-8859-1"?>
|
---|
| 2 | <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
---|
| 3 | "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
---|
| 4 | <!ENTITY % general-entities SYSTEM "../../general.ent">
|
---|
| 5 | %general-entities;
|
---|
| 6 |
|
---|
[4a16903] | 7 | <!ENTITY certhost "https://hg.mozilla.org/">
|
---|
| 8 | <!ENTITY certpath "/lib/ckfw/builtins/certdata.txt">
|
---|
| 9 | <!ENTITY ca-bundle-download "&sources-anduin-http;/other/certdata.txt">
|
---|
| 10 | <!ENTITY ca-bundle-size "1.6 MB">
|
---|
| 11 | <!ENTITY cacerts-buildsize "4.7 MB (with all runtime deps)">
|
---|
| 12 | <!ENTITY cacerts-time "0.2 SBU (with all runtime deps)">
|
---|
| 13 |
|
---|
[30b7db74] | 14 | <!ENTITY make-ca-download "&sources-anduin-http;/other/make-ca.sh">
|
---|
[4a16903] | 15 | <!ENTITY make-ca-size "11 KB">
|
---|
[d4b88e83] | 16 | <!ENTITY make-ca-md5sum "65c6cbbb11e6d124b047f4aa0dcb2808">
|
---|
[c9b953e6] | 17 | ]>
|
---|
| 18 |
|
---|
| 19 | <sect1 id="cacerts" xreflabel="Certificate Authority Certificates">
|
---|
| 20 | <?dbhtml filename="cacerts.html"?>
|
---|
| 21 |
|
---|
| 22 | <sect1info>
|
---|
| 23 | <othername>$LastChangedBy$</othername>
|
---|
| 24 | <date>$Date$</date>
|
---|
| 25 | </sect1info>
|
---|
| 26 |
|
---|
| 27 | <title>Certificate Authority Certificates</title>
|
---|
| 28 |
|
---|
[4a16903] | 29 | <para>Public Key Infrastructure (PKI) is a method to validate the
|
---|
| 30 | authenticity of an othewise unknown entity across untrusted networks. PKI
|
---|
| 31 | works by establishing a chain of trust, rather than trusting each individual
|
---|
| 32 | host or entity explicitly. In order for a certificate presented by a remote
|
---|
| 33 | entity to be trusted, that certificate must pesent a complete chain of
|
---|
| 34 | certificates that can be validated using the root certificate of a
|
---|
| 35 | Certificate Authority (CA) that is trusted by the local machine.</para>
|
---|
| 36 |
|
---|
| 37 | <para>Establishing trust with a CA involves validating things like company
|
---|
| 38 | address, ownership, contact information, etc., and ensuring that the CA has
|
---|
| 39 | followed best practices, such as udergoing periodic security audits by
|
---|
| 40 | independent investegators and maintaining an always avaialable certificate
|
---|
| 41 | revocation list. This is well outside the scope of BLFS (as it is for most
|
---|
| 42 | Linux distributions). The certificate store provided here is taken from the
|
---|
| 43 | Mozilla Foundation, who have established very strict inclusion policies
|
---|
| 44 | described
|
---|
| 45 | <ulink url="https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/">here</ulink>.</para>
|
---|
[c9b953e6] | 46 |
|
---|
[0134954] | 47 | &lfs7a_checked;
|
---|
[c9b953e6] | 48 |
|
---|
| 49 | <indexterm zone="cacerts">
|
---|
| 50 | <primary sortas="a-cacerts">Certificate Authority Certificates</primary>
|
---|
| 51 | </indexterm>
|
---|
| 52 |
|
---|
| 53 | <sect2 role="package">
|
---|
| 54 | <title>Introduction to Certificate Authorities</title>
|
---|
| 55 |
|
---|
| 56 | <bridgehead renderas="sect3">Package Information</bridgehead>
|
---|
| 57 | <itemizedlist spacing="compact">
|
---|
| 58 | <listitem>
|
---|
[30b7db74] | 59 | <para>Download (HTTP): <ulink url="&make-ca-download;"/></para>
|
---|
[c9b953e6] | 60 | </listitem>
|
---|
| 61 | <listitem>
|
---|
[30b7db74] | 62 | <para>Download size: &make-ca-size;</para>
|
---|
| 63 | </listitem>
|
---|
| 64 | <listitem>
|
---|
| 65 | <para>Download MD5 Sum: &make-ca-md5sum;</para>
|
---|
[c9b953e6] | 66 | </listitem>
|
---|
| 67 | <listitem>
|
---|
| 68 | <para>Estimated disk space required: &cacerts-buildsize;</para>
|
---|
| 69 | </listitem>
|
---|
| 70 | <listitem>
|
---|
| 71 | <para>Estimated build time: &cacerts-time;</para>
|
---|
| 72 | </listitem>
|
---|
| 73 | </itemizedlist>
|
---|
| 74 |
|
---|
[4a16903] | 75 |
|
---|
| 76 | <bridgehead renderas="sect3">Additional Downloads</bridgehead>
|
---|
| 77 | <itemizedlist spacing="compact">
|
---|
| 78 | <listitem>
|
---|
| 79 | <para>
|
---|
| 80 | CA Certificates
|
---|
| 81 | <ulink url="&ca-bundle-download;"/>
|
---|
| 82 | </para>
|
---|
| 83 | </listitem>
|
---|
| 84 | </itemizedlist>
|
---|
| 85 |
|
---|
[c9b953e6] | 86 | <bridgehead renderas="sect3">Certificate Authority Certificates Dependencies</bridgehead>
|
---|
| 87 |
|
---|
| 88 | <bridgehead renderas="sect4">Required</bridgehead>
|
---|
[4a16903] | 89 | <para role="required"><xref linkend="openssl"/></para>
|
---|
| 90 |
|
---|
| 91 | <bridgehead renderas="sect4">Optional (runtime)</bridgehead>
|
---|
| 92 | <para role="optional">
|
---|
| 93 | <xref linkend="java"/> or <xref linkend="openjdk"/>, and
|
---|
| 94 | <xref linkend="nss"/></para>
|
---|
[c9b953e6] | 95 |
|
---|
| 96 | <para condition="html" role="usernotes">User Notes:
|
---|
| 97 | <ulink url='&blfs-wiki;/cacerts'/></para>
|
---|
| 98 | </sect2>
|
---|
| 99 |
|
---|
| 100 | <sect2 role="installation">
|
---|
| 101 | <title>Installation of Certificate Authority Certificates</title>
|
---|
| 102 |
|
---|
[4a16903] | 103 | <para>The <application>make-ca.sh</application> script will adapt the
|
---|
| 104 | certificates included in the <filename>certdata.txt</filename> file
|
---|
| 105 | for use in multiple certificate stores (if the associated applications are
|
---|
| 106 | present on the system). Additionally, any local certificates stored in
|
---|
| 107 | <filename>/etc/ssl/local</filename> will be imported to the ceritificate
|
---|
| 108 | stores. Certificates in this directory should be stored as PEM encoded
|
---|
| 109 | <application>OpenSSL</application> trusted certificates.</para>
|
---|
| 110 |
|
---|
| 111 | <para>To create an <application>OpenSSL</application> trusted certificate
|
---|
| 112 | from a regular PEM encoded file, provided by a CA not included in Mozilla's
|
---|
| 113 | certificate distribution, you need to add trust arguments to the
|
---|
| 114 | <command>openssl</command> command, and create a new certificate. There are
|
---|
| 115 | three trust types that are recognised by the
|
---|
| 116 | <application>make-ca.sh</application> script, SSL/TLS, S/Mime, and code
|
---|
| 117 | signing. For example, to allow a certificate to be trusted for both
|
---|
| 118 | SSL/TLS and S/Mime, but explicitly rejected for code signing, you could use
|
---|
| 119 | the following commands to create a new trusted ceritificate that has those
|
---|
| 120 | trust attributes:</para>
|
---|
| 121 |
|
---|
| 122 | <screen><literal>openssl x509 -in MyRootCA.pem -text -fingerprint -setalias "My Root CA 1" \
|
---|
| 123 | -addtrust serverAuth -addtrust emailProtection -addreject codeSigning \
|
---|
| 124 | > MyRootCA-trusted.pem</literal></screen>
|
---|
| 125 |
|
---|
| 126 | <para>If a trust argument is omitted, the certificate is neither trusted,
|
---|
| 127 | nor rejected. Clients that use <application>OpenSSL</application> or
|
---|
| 128 | <application>NSS</application> encountering this certificate will present
|
---|
| 129 | a warning to the user. Clients using <application>GnuTLS</application>
|
---|
| 130 | without <application>p11-kit</application> support are not aware of trusted
|
---|
| 131 | certificates. To include this CA into the ca-bundle.crt (used for
|
---|
| 132 | <application>GnuTLS</application>), it must, at very least, have the
|
---|
| 133 | serverAuth trust.</para>
|
---|
| 134 |
|
---|
| 135 | <para>To install the various certificate stores, first install the
|
---|
| 136 | <application>make-ca.sh</application> script into the correct location.
|
---|
| 137 | As the <systemitem class="username">root</systemitem> user:</para>
|
---|
| 138 |
|
---|
| 139 | <screen role="root"><userinput>install -vm755 make-ca.sh /usr/sbin</userinput></screen>
|
---|
| 140 |
|
---|
| 141 | <para>As the <systemitem class="username">root</systemitem> user, make sure
|
---|
| 142 | that certdata.txt is in the current direcotry, and update the certificate
|
---|
| 143 | stores with the following command:</para>
|
---|
| 144 |
|
---|
| 145 | <screen role="root"><userinput>/usr/sbin/make-ca.sh</userinput></screen>
|
---|
| 146 |
|
---|
| 147 | <para>You should periodically download a copy of
|
---|
| 148 | <filename>certdata.txt</filename> and run the
|
---|
| 149 | <application>make-ca.sh</application> script (as the
|
---|
| 150 | <systemitem class="username">root</systemitem> user), or as part of a
|
---|
| 151 | monthly <application>cron</application> job to ensure that you have the
|
---|
| 152 | latest available version of the certificates.</para>
|
---|
| 153 |
|
---|
| 154 | <para>The <filename>certdata.txt</filename> file provided by BLFS is
|
---|
| 155 | obtained from the mozilla-release branch, and is modified to provide a
|
---|
| 156 | simple dated revision. This will be the correct verision for most
|
---|
| 157 | systems. There are, however, several other variants of the file available
|
---|
| 158 | for use that might be preferred for one reason or another, including all
|
---|
| 159 | Mozilla products in this book. RedHat and OpenSUSE, for instace, use the
|
---|
| 160 | version included in <xref linkend="nss"/>. Additional download locations
|
---|
| 161 | are available at:</para>
|
---|
| 162 |
|
---|
| 163 | <itemizedlist spacing="compact">
|
---|
| 164 | <listitem>
|
---|
| 165 | <para>Mozilla Release (the version provided by BLFS):
|
---|
| 166 | <ulink url="&certhost;releases/mozilla-release/raw-file/default/security/nss&certpath;"/>
|
---|
| 167 | </para>
|
---|
| 168 | </listitem>
|
---|
| 169 | <listitem>
|
---|
| 170 | <para>NSS (this is the latest availalbe version):
|
---|
| 171 | <ulink url="&certhost;projects/nss/raw-file/tip/lib&certpath;"/>
|
---|
| 172 | </para>
|
---|
| 173 | </listitem>
|
---|
| 174 | <listitem>
|
---|
| 175 | <para>Mozilla Central:
|
---|
| 176 | <ulink url="&certhost;mozilla-central/raw-file/default/security/nss&certpath;"/>
|
---|
| 177 | </para>
|
---|
| 178 | </listitem>
|
---|
| 179 | <listitem>
|
---|
| 180 | <para>Mozilla Beta:
|
---|
| 181 | <ulink url="&certhost;releases/mozilla-beta/raw-file/default/security/nss&certpath;"/>
|
---|
| 182 | </para>
|
---|
| 183 | </listitem>
|
---|
| 184 | <listitem>
|
---|
| 185 | <para>Mozilla Aurora:
|
---|
| 186 | <ulink url="&certhost;releases/mozilla-aurora/raw-file/default/security/nss&certpath;"/>
|
---|
| 187 | </para>
|
---|
| 188 | </listitem>
|
---|
| 189 | </itemizedlist>
|
---|
[8b9034a] | 190 |
|
---|
[c9b953e6] | 191 | </sect2>
|
---|
| 192 |
|
---|
| 193 | <sect2 role="content">
|
---|
| 194 | <title>Contents</title>
|
---|
| 195 |
|
---|
| 196 | <segmentedlist>
|
---|
| 197 | <segtitle>Installed Programs</segtitle>
|
---|
| 198 | <segtitle>Installed Libraries</segtitle>
|
---|
| 199 | <segtitle>Installed Directories</segtitle>
|
---|
| 200 |
|
---|
| 201 | <seglistitem>
|
---|
[30b7db74] | 202 | <seg>make-ca.sh</seg>
|
---|
[c9b953e6] | 203 | <seg>None</seg>
|
---|
[4a16903] | 204 | <seg>/etc/ssl/{certs,java,local} and /etc/pki/{nssdb,anchors}</seg>
|
---|
[c9b953e6] | 205 | </seglistitem>
|
---|
| 206 | </segmentedlist>
|
---|
| 207 |
|
---|
| 208 | <variablelist>
|
---|
| 209 | <bridgehead renderas="sect3">Short Descriptions</bridgehead>
|
---|
| 210 | <?dbfo list-presentation="list"?>
|
---|
| 211 | <?dbhtml list-presentation="table"?>
|
---|
| 212 |
|
---|
| 213 | <varlistentry id="make-ca">
|
---|
| 214 | <term><command>make-ca.sh</command></term>
|
---|
| 215 | <listitem>
|
---|
[4a16903] | 216 | <para>is a shell script that adapts a current version of
|
---|
[30b7db74] | 217 | <filename>certdata.txt</filename>, and prepares it for use
|
---|
| 218 | as the system certificate store.</para>
|
---|
[c9b953e6] | 219 | <indexterm zone="cacerts make-ca">
|
---|
| 220 | <primary sortas="b-make-ca">make-ca</primary>
|
---|
| 221 | </indexterm>
|
---|
| 222 | </listitem>
|
---|
| 223 | </varlistentry>
|
---|
| 224 | </variablelist>
|
---|
| 225 |
|
---|
| 226 | </sect2>
|
---|
| 227 | </sect1>
|
---|