%general-entities; ]> $LastChangedBy$ $Date$ Public Key Infrastructure (PKI) is a method to validate the authenticity of an othewise unknown entity across untrusted networks. PKI works by establishing a chain of trust, rather than trusting each individual host or entity explicitly. In order for a certificate presented by a remote entity to be trusted, that certificate must pesent a complete chain of certificates that can be validated using the root certificate of a Certificate Authority (CA) that is trusted by the local machine. Establishing trust with a CA involves validating things like company address, ownership, contact information, etc., and ensuring that the CA has followed best practices, such as udergoing periodic security audits by independent investegators and maintaining an always avaialable certificate revocation list. This is well outside the scope of BLFS (as it is for most Linux distributions). The certificate store provided here is taken from the Mozilla Foundation, who have established very strict inclusion policies described here. &lfs7a_checked; Certificate Authority Certificates Package Information Download (HTTP): Download size: &make-ca-size; Download MD5 Sum: &make-ca-md5sum; Estimated disk space required: &cacerts-buildsize; Estimated build time: &cacerts-time; Additional Downloads CA Certificates Certificate Authority Certificates Dependencies Required Optional (runtime) or , and User Notes: The make-ca.sh script will adapt the certificates included in the certdata.txt file for use in multiple certificate stores (if the associated applications are present on the system). Additionally, any local certificates stored in /etc/ssl/local will be imported to the ceritificate stores. Certificates in this directory should be stored as PEM encoded OpenSSL trusted certificates. To create an OpenSSL trusted certificate from a regular PEM encoded file, provided by a CA not included in Mozilla's certificate distribution, you need to add trust arguments to the openssl command, and create a new certificate. There are three trust types that are recognised by the make-ca.sh script, SSL/TLS, S/Mime, and code signing. For example, to allow a certificate to be trusted for both SSL/TLS and S/Mime, but explicitly rejected for code signing, you could use the following commands to create a new trusted ceritificate that has those trust attributes: openssl x509 -in MyRootCA.pem -text -fingerprint -setalias "My Root CA 1" \ -addtrust serverAuth -addtrust emailProtection -addreject codeSigning \ > MyRootCA-trusted.pem If a trust argument is omitted, the certificate is neither trusted, nor rejected. Clients that use OpenSSL or NSS encountering this certificate will present a warning to the user. Clients using GnuTLS without p11-kit support are not aware of trusted certificates. To include this CA into the ca-bundle.crt (used for GnuTLS), it must, at very least, have the serverAuth trust. To install the various certificate stores, first install the make-ca.sh script into the correct location. As the root user: install -vm755 make-ca.sh /usr/sbin As the root user, make sure that certdata.txt is in the current direcotry, and update the certificate stores with the following command: /usr/sbin/make-ca.sh You should periodically download a copy of certdata.txt and run the make-ca.sh script (as the root user), or as part of a monthly cron job to ensure that you have the latest available version of the certificates. The certdata.txt file provided by BLFS is obtained from the mozilla-release branch, and is modified to provide a simple dated revision. This will be the correct verision for most systems. There are, however, several other variants of the file available for use that might be preferred for one reason or another, including all Mozilla products in this book. RedHat and OpenSUSE, for instace, use the version included in . Additional download locations are available at: Mozilla Release (the version provided by BLFS): NSS (this is the latest availalbe version): Mozilla Central: Mozilla Beta: Mozilla Aurora: Installed Programs Installed Libraries Installed Directories make-ca.sh None /etc/ssl/{certs,java,local} and /etc/pki/{nssdb,anchors} Short Descriptions make-ca.sh is a shell script that adapts a current version of certdata.txt, and prepares it for use as the system certificate store. make-ca