| 1 | <?xml version="1.0" encoding="ISO-8859-1"?>
|
|---|
| 2 | <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
|---|
| 3 | "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
|---|
| 4 | <!ENTITY % general-entities SYSTEM "../../general.ent">
|
|---|
| 5 | %general-entities;
|
|---|
| 6 |
|
|---|
| 7 | <!ENTITY make-ca-download "&sources-anduin-http;/other/make-ca.sh">
|
|---|
| 8 | <!ENTITY make-ca-size "4.1 KB">
|
|---|
| 9 | <!ENTITY make-ca-md5sum "487ca7ce6f7b81b3e46362138f93310c">
|
|---|
| 10 | <!ENTITY cacerts-buildsize "1.4 MB">
|
|---|
| 11 | <!ENTITY cacerts-time "0.1 SBU">
|
|---|
| 12 | ]>
|
|---|
| 13 |
|
|---|
| 14 | <sect1 id="cacerts" xreflabel="Certificate Authority Certificates">
|
|---|
| 15 | <?dbhtml filename="cacerts.html"?>
|
|---|
| 16 |
|
|---|
| 17 | <sect1info>
|
|---|
| 18 | <othername>$LastChangedBy$</othername>
|
|---|
| 19 | <date>$Date$</date>
|
|---|
| 20 | </sect1info>
|
|---|
| 21 |
|
|---|
| 22 | <title>Certificate Authority Certificates</title>
|
|---|
| 23 |
|
|---|
| 24 | <para>The Public Key Infrastructure is used for many security features in a
|
|---|
| 25 | Linux system. In order for a certificate to be trusted, it must be signed by
|
|---|
| 26 | a trusted agent called a Certificate Authority (CA). The certificates
|
|---|
| 27 | installed in this section are obtained from the Mozilla version control
|
|---|
| 28 | system, and reformatted for use by <xref linkend='openssl'/> and
|
|---|
| 29 | <xref linkend='gnutls'/>. The certificates can also be used by other
|
|---|
| 30 | applications, either directly or indirectly by linking to one of these
|
|---|
| 31 | packages.</para>
|
|---|
| 32 |
|
|---|
| 33 | &lfs7a_checked;
|
|---|
| 34 |
|
|---|
| 35 | <indexterm zone="cacerts">
|
|---|
| 36 | <primary sortas="a-cacerts">Certificate Authority Certificates</primary>
|
|---|
| 37 | </indexterm>
|
|---|
| 38 |
|
|---|
| 39 | <sect2 role="package">
|
|---|
| 40 | <title>Introduction to Certificate Authorities</title>
|
|---|
| 41 |
|
|---|
| 42 | <bridgehead renderas="sect3">Package Information</bridgehead>
|
|---|
| 43 | <itemizedlist spacing="compact">
|
|---|
| 44 | <listitem>
|
|---|
| 45 | <para>Download (HTTP): <ulink url="&make-ca-download;"/></para>
|
|---|
| 46 | </listitem>
|
|---|
| 47 | <listitem>
|
|---|
| 48 | <para>Download size: &make-ca-size;</para>
|
|---|
| 49 | </listitem>
|
|---|
| 50 | <listitem>
|
|---|
| 51 | <para>Download MD5 Sum: &make-ca-md5sum;</para>
|
|---|
| 52 | </listitem>
|
|---|
| 53 | <listitem>
|
|---|
| 54 | <para>Estimated disk space required: &cacerts-buildsize;</para>
|
|---|
| 55 | </listitem>
|
|---|
| 56 | <listitem>
|
|---|
| 57 | <para>Estimated build time: &cacerts-time;</para>
|
|---|
| 58 | </listitem>
|
|---|
| 59 | </itemizedlist>
|
|---|
| 60 |
|
|---|
| 61 | <bridgehead renderas="sect3">Certificate Authority Certificates Dependencies</bridgehead>
|
|---|
| 62 |
|
|---|
| 63 | <bridgehead renderas="sect4">Required</bridgehead>
|
|---|
| 64 | <para role="required"><xref linkend="openssl"/> and
|
|---|
| 65 | <xref linkend="curl"/></para>
|
|---|
| 66 |
|
|---|
| 67 | <para condition="html" role="usernotes">User Notes:
|
|---|
| 68 | <ulink url='&blfs-wiki;/cacerts'/></para>
|
|---|
| 69 | </sect2>
|
|---|
| 70 |
|
|---|
| 71 | <sect2 role="installation">
|
|---|
| 72 | <title>Installation of Certificate Authority Certificates</title>
|
|---|
| 73 |
|
|---|
| 74 | <para>The <application>make-ca.sh</application> script will download a set
|
|---|
| 75 | of certificates from one of five projects (aurora, beta, central, nss, or
|
|---|
| 76 | release) in the Mozialla version control system. It defaults to the release
|
|---|
| 77 | branch, which is identical to the version that ships with the Mozilla
|
|---|
| 78 | products in this book. If you'd like to change the branch that is retrieved,
|
|---|
| 79 | edit the file and set <envar>CERTSOURCE</envar> to one of the five values
|
|---|
| 80 | above.</para>
|
|---|
| 81 |
|
|---|
| 82 | <para>Additionally, any local certificates stored in
|
|---|
| 83 | <filename>/etc/ssl/local</filename> will be copied into both the single-file
|
|---|
| 84 | <filename>/etc/ssl/ca-bundle.crt</filename> (used by programs that link to
|
|---|
| 85 | <application>gnutls</application>), and into the certificate store directory
|
|---|
| 86 | <filename>/etc/ssl/certs</filename> (used by programs that link to
|
|---|
| 87 | <application>OpenSSL</application>). All certificates will pass a date and
|
|---|
| 88 | trust validation, and any existing certificates in
|
|---|
| 89 | <filename>/etc/ssl/ca-bundle.crt</filename> or
|
|---|
| 90 | <filename>/etc/ssl/certs</filename> will be removed upon successful
|
|---|
| 91 | completion of this script.</para>
|
|---|
| 92 |
|
|---|
| 93 | <para>Finally, if you've installed <xref linkend="java"/> or <xref
|
|---|
| 94 | linkend="openjdk"/>, then it will also update the java cacerts file at
|
|---|
| 95 | <filename>/etc/ssl/java/cacerts</filename>.</para>
|
|---|
| 96 |
|
|---|
| 97 | <para>First install the above script into the correct location. As the
|
|---|
| 98 | <systemitem class="username">root</systemitem> user:</para>
|
|---|
| 99 |
|
|---|
| 100 | <screen role="root"><userinput>install -vm750 make-ca.sh /usr/sbin</userinput></screen>
|
|---|
| 101 |
|
|---|
| 102 | <para>As the <systemitem class="username">root</systemitem> user, create the
|
|---|
| 103 | needed directories, and update the certificate store:</para>
|
|---|
| 104 |
|
|---|
| 105 | <screen role="root"><userinput>install -vdm755 /etc/ssl/{certs,java,local} &&
|
|---|
| 106 | /usr/sbin/make-ca.sh
|
|---|
| 107 | </userinput></screen>
|
|---|
| 108 |
|
|---|
| 109 | <para>You should periodically run the <application>make-ca.sh</application>
|
|---|
| 110 | script (as the <systemitem class="username">root</systemitem> user), or as
|
|---|
| 111 | part of a monthly <application>cron</application> job to ensure that you
|
|---|
| 112 | have the latest available version of the certificates.</para>
|
|---|
| 113 |
|
|---|
| 114 | </sect2>
|
|---|
| 115 |
|
|---|
| 116 | <sect2 role="content">
|
|---|
| 117 | <title>Contents</title>
|
|---|
| 118 |
|
|---|
| 119 | <segmentedlist>
|
|---|
| 120 | <segtitle>Installed Programs</segtitle>
|
|---|
| 121 | <segtitle>Installed Libraries</segtitle>
|
|---|
| 122 | <segtitle>Installed Directories</segtitle>
|
|---|
| 123 |
|
|---|
| 124 | <seglistitem>
|
|---|
| 125 | <seg>make-ca.sh</seg>
|
|---|
| 126 | <seg>None</seg>
|
|---|
| 127 | <seg>/etc/ssl/{certs,java,local}</seg>
|
|---|
| 128 | </seglistitem>
|
|---|
| 129 | </segmentedlist>
|
|---|
| 130 |
|
|---|
| 131 | <variablelist>
|
|---|
| 132 | <bridgehead renderas="sect3">Short Descriptions</bridgehead>
|
|---|
| 133 | <?dbfo list-presentation="list"?>
|
|---|
| 134 | <?dbhtml list-presentation="table"?>
|
|---|
| 135 |
|
|---|
| 136 | <varlistentry id="make-ca">
|
|---|
| 137 | <term><command>make-ca.sh</command></term>
|
|---|
| 138 | <listitem>
|
|---|
| 139 | <para>is a shell script that downloads a current verion of
|
|---|
| 140 | <filename>certdata.txt</filename>, and prepares it for use
|
|---|
| 141 | as the system certificate store.</para>
|
|---|
| 142 | <indexterm zone="cacerts make-ca">
|
|---|
| 143 | <primary sortas="b-make-ca">make-ca</primary>
|
|---|
| 144 | </indexterm>
|
|---|
| 145 | </listitem>
|
|---|
| 146 | </varlistentry>
|
|---|
| 147 | </variablelist>
|
|---|
| 148 |
|
|---|
| 149 | </sect2>
|
|---|
| 150 | </sect1>
|
|---|
