1 | <?xml version="1.0" encoding="ISO-8859-1"?>
|
---|
2 | <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
---|
3 | "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
---|
4 | <!ENTITY % general-entities SYSTEM "../../general.ent">
|
---|
5 | %general-entities;
|
---|
6 |
|
---|
7 | <!ENTITY certhost "http://mxr.mozilla.org">
|
---|
8 | <!ENTITY certdir "/mozilla/source/security/nss/lib/ckfw/builtins">
|
---|
9 | <!ENTITY ca-bundle-download "&sources-anduin-other-http;/certdata.txt">
|
---|
10 | <!ENTITY ca-bundle-size "1.2 MB">
|
---|
11 | <!ENTITY cacerts-buildsize "1.2 MB">
|
---|
12 | <!ENTITY cacerts-time "less than 0.1 SBU">
|
---|
13 | ]>
|
---|
14 |
|
---|
15 | <sect1 id="cacerts" xreflabel="Certificate Authority Certificates">
|
---|
16 | <?dbhtml filename="cacerts.html"?>
|
---|
17 |
|
---|
18 | <sect1info>
|
---|
19 | <othername>$LastChangedBy$</othername>
|
---|
20 | <date>$Date$</date>
|
---|
21 | </sect1info>
|
---|
22 |
|
---|
23 | <title>Certificate Authority Certificates</title>
|
---|
24 |
|
---|
25 | <para>The Public Key Inrastructure is used for many security issues in a
|
---|
26 | Linux system. In order for a certificate to be trusted, it must be signed by
|
---|
27 | a trusted agent called a Certificate Authority (CA). The certificates loaded
|
---|
28 | by this section are from the list on the Mozilla version control system and
|
---|
29 | formats it into a form used by <xref linkend='openssl'/>. The certificates
|
---|
30 | can also be used by other applications either directly of indirectly through
|
---|
31 | <application>openssl</application>.</para>
|
---|
32 |
|
---|
33 | &lfs76_checked;
|
---|
34 |
|
---|
35 | <indexterm zone="cacerts">
|
---|
36 | <primary sortas="a-cacerts">Certificate Authority Certificates</primary>
|
---|
37 | </indexterm>
|
---|
38 |
|
---|
39 | <sect2 role="package">
|
---|
40 | <title>Introduction to Certificate Authorities</title>
|
---|
41 |
|
---|
42 | <bridgehead renderas="sect3">Package Information</bridgehead>
|
---|
43 | <itemizedlist spacing="compact">
|
---|
44 | <listitem>
|
---|
45 | <para>CA Certificate Download: <ulink url="&ca-bundle-download;"/></para>
|
---|
46 | </listitem>
|
---|
47 | <listitem>
|
---|
48 | <para>CA Bundle size: &ca-bundle-size;</para>
|
---|
49 | </listitem>
|
---|
50 | <listitem>
|
---|
51 | <para>Estimated disk space required: &cacerts-buildsize;</para>
|
---|
52 | </listitem>
|
---|
53 | <listitem>
|
---|
54 | <para>Estimated build time: &cacerts-time;</para>
|
---|
55 | </listitem>
|
---|
56 | </itemizedlist>
|
---|
57 |
|
---|
58 | <note><para>The certfile.txt file above is actually retrieved from <ulink
|
---|
59 | url="https://hg.mozilla.org/releases/mozilla-release/file/default/security/nss/lib/ckfw/builtins/certdata.txt"/>.
|
---|
60 | It is really an HTML file, but the text file can be retrieved indirectly
|
---|
61 | from the HTML file. The Download URL above automates that process and also
|
---|
62 | adds a line where the date can be extracted as a revision number by the
|
---|
63 | scripts below.</para></note>
|
---|
64 |
|
---|
65 | <bridgehead renderas="sect3">Certificate Authority Certificates Dependencies</bridgehead>
|
---|
66 |
|
---|
67 | <bridgehead renderas="sect4">Required</bridgehead>
|
---|
68 | <para role="required"><xref linkend="openssl"/></para>
|
---|
69 |
|
---|
70 | <bridgehead renderas="sect4">Recommended</bridgehead>
|
---|
71 | <para role="recommended"><xref linkend="wget"/></para>
|
---|
72 |
|
---|
73 | <para condition="html" role="usernotes">User Notes:
|
---|
74 | <ulink url='&blfs-wiki;/cacerts'/></para>
|
---|
75 | </sect2>
|
---|
76 |
|
---|
77 | <sect2 role="installation">
|
---|
78 | <title>Installation of Certificate Authority Certificates</title>
|
---|
79 |
|
---|
80 | <para>First create a script to reformat a certificate into a
|
---|
81 | form needed by <application>openssl</application>. As the <systemitem
|
---|
82 | class="username">root</systemitem> user:</para>
|
---|
83 |
|
---|
84 | <screen role="root"><userinput>cat > /usr/bin/make-cert.pl << "EOF"
|
---|
85 | <literal>#!/usr/bin/perl -w
|
---|
86 |
|
---|
87 | # Used to generate PEM encoded files from Mozilla certdata.txt.
|
---|
88 | # Run as ./make-cert.pl > certificate.crt
|
---|
89 | #
|
---|
90 | # Parts of this script courtesy of RedHat (mkcabundle.pl)
|
---|
91 | #
|
---|
92 | # This script modified for use with single file data (tempfile.cer) extracted
|
---|
93 | # from certdata.txt, taken from the latest version in the Mozilla NSS source.
|
---|
94 | # mozilla/security/nss/lib/ckfw/builtins/certdata.txt
|
---|
95 | #
|
---|
96 | # Authors: DJ Lucas
|
---|
97 | # Bruce Dubbs
|
---|
98 | #
|
---|
99 | # Version 20120211
|
---|
100 |
|
---|
101 | my $certdata = './tempfile.cer';
|
---|
102 |
|
---|
103 | open( IN, "cat $certdata|" )
|
---|
104 | || die "could not open $certdata";
|
---|
105 |
|
---|
106 | my $incert = 0;
|
---|
107 |
|
---|
108 | while ( <IN> )
|
---|
109 | {
|
---|
110 | if ( /^CKA_VALUE MULTILINE_OCTAL/ )
|
---|
111 | {
|
---|
112 | $incert = 1;
|
---|
113 | open( OUT, "|openssl x509 -text -inform DER -fingerprint" )
|
---|
114 | || die "could not pipe to openssl x509";
|
---|
115 | }
|
---|
116 |
|
---|
117 | elsif ( /^END/ && $incert )
|
---|
118 | {
|
---|
119 | close( OUT );
|
---|
120 | $incert = 0;
|
---|
121 | print "\n\n";
|
---|
122 | }
|
---|
123 |
|
---|
124 | elsif ($incert)
|
---|
125 | {
|
---|
126 | my @bs = split( /\\/ );
|
---|
127 | foreach my $b (@bs)
|
---|
128 | {
|
---|
129 | chomp $b;
|
---|
130 | printf( OUT "%c", oct($b) ) unless $b eq '';
|
---|
131 | }
|
---|
132 | }
|
---|
133 | }</literal>
|
---|
134 | EOF
|
---|
135 |
|
---|
136 | chmod +x /usr/bin/make-cert.pl</userinput></screen>
|
---|
137 |
|
---|
138 | <para>The following script creates the certificates and a bundle of all the
|
---|
139 | certificates. It creates a <filename class='directory'>./certs</filename>
|
---|
140 | directory and <filename>./BLFS-ca-bundle-${VERSION}.crt</filename>. Again
|
---|
141 | create this script as the <systemitem class="username">root</systemitem>
|
---|
142 | user:</para>
|
---|
143 |
|
---|
144 | <screen role="root"><userinput>cat > /usr/bin/make-ca.sh << "EOF"
|
---|
145 | <literal>#!/bin/sh
|
---|
146 | # Begin make-ca.sh
|
---|
147 | # Script to populate OpenSSL's CApath from a bundle of PEM formatted CAs
|
---|
148 | #
|
---|
149 | # The file certdata.txt must exist in the local directory
|
---|
150 | # Version number is obtained from the version of the data.
|
---|
151 | #
|
---|
152 | # Authors: DJ Lucas
|
---|
153 | # Bruce Dubbs
|
---|
154 | #
|
---|
155 | # Version 20120211
|
---|
156 |
|
---|
157 | certdata="certdata.txt"
|
---|
158 |
|
---|
159 | if [ ! -r $certdata ]; then
|
---|
160 | echo "$certdata must be in the local directory"
|
---|
161 | exit 1
|
---|
162 | fi
|
---|
163 |
|
---|
164 | REVISION=$(grep CVS_ID $certdata | cut -f4 -d'$')
|
---|
165 |
|
---|
166 | if [ -z "${REVISION}" ]; then
|
---|
167 | echo "$certfile has no 'Revision' in CVS_ID"
|
---|
168 | exit 1
|
---|
169 | fi
|
---|
170 |
|
---|
171 | VERSION=$(echo $REVISION | cut -f2 -d" ")
|
---|
172 |
|
---|
173 | TEMPDIR=$(mktemp -d)
|
---|
174 | TRUSTATTRIBUTES="CKA_TRUST_SERVER_AUTH"
|
---|
175 | BUNDLE="BLFS-ca-bundle-${VERSION}.crt"
|
---|
176 | CONVERTSCRIPT="/usr/bin/make-cert.pl"
|
---|
177 | SSLDIR="/etc/ssl"
|
---|
178 |
|
---|
179 | mkdir "${TEMPDIR}/certs"
|
---|
180 |
|
---|
181 | # Get a list of starting lines for each cert
|
---|
182 | CERTBEGINLIST=$(grep -n "^# Certificate" "${certdata}" | cut -d ":" -f1)
|
---|
183 |
|
---|
184 | # Get a list of ending lines for each cert
|
---|
185 | CERTENDLIST=`grep -n "^CKA_TRUST_STEP_UP_APPROVED" "${certdata}" | cut -d ":" -f 1`
|
---|
186 |
|
---|
187 | # Start a loop
|
---|
188 | for certbegin in ${CERTBEGINLIST}; do
|
---|
189 | for certend in ${CERTENDLIST}; do
|
---|
190 | if test "${certend}" -gt "${certbegin}"; then
|
---|
191 | break
|
---|
192 | fi
|
---|
193 | done
|
---|
194 |
|
---|
195 | # Dump to a temp file with the name of the file as the beginning line number
|
---|
196 | sed -n "${certbegin},${certend}p" "${certdata}" > "${TEMPDIR}/certs/${certbegin}.tmp"
|
---|
197 | done
|
---|
198 |
|
---|
199 | unset CERTBEGINLIST CERTDATA CERTENDLIST certbegin certend
|
---|
200 |
|
---|
201 | mkdir -p certs
|
---|
202 | rm -f certs/* # Make sure the directory is clean
|
---|
203 |
|
---|
204 | for tempfile in ${TEMPDIR}/certs/*.tmp; do
|
---|
205 | # Make sure that the cert is trusted...
|
---|
206 | grep "CKA_TRUST_SERVER_AUTH" "${tempfile}" | \
|
---|
207 | egrep "TRUST_UNKNOWN|NOT_TRUSTED" > /dev/null
|
---|
208 |
|
---|
209 | if test "${?}" = "0"; then
|
---|
210 | # Throw a meaningful error and remove the file
|
---|
211 | cp "${tempfile}" tempfile.cer
|
---|
212 | perl ${CONVERTSCRIPT} > tempfile.crt
|
---|
213 | keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
|
---|
214 | echo "Certificate ${keyhash} is not trusted! Removing..."
|
---|
215 | rm -f tempfile.cer tempfile.crt "${tempfile}"
|
---|
216 | continue
|
---|
217 | fi
|
---|
218 |
|
---|
219 | # If execution made it to here in the loop, the temp cert is trusted
|
---|
220 | # Find the cert data and generate a cert file for it
|
---|
221 |
|
---|
222 | cp "${tempfile}" tempfile.cer
|
---|
223 | perl ${CONVERTSCRIPT} > tempfile.crt
|
---|
224 | keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
|
---|
225 | mv tempfile.crt "certs/${keyhash}.pem"
|
---|
226 | rm -f tempfile.cer "${tempfile}"
|
---|
227 | echo "Created ${keyhash}.pem"
|
---|
228 | done
|
---|
229 |
|
---|
230 | # Remove blacklisted files
|
---|
231 | # MD5 Collision Proof of Concept CA
|
---|
232 | if test -f certs/8f111d69.pem; then
|
---|
233 | echo "Certificate 8f111d69 is not trusted! Removing..."
|
---|
234 | rm -f certs/8f111d69.pem
|
---|
235 | fi
|
---|
236 |
|
---|
237 | # Finally, generate the bundle and clean up.
|
---|
238 | cat certs/*.pem > ${BUNDLE}
|
---|
239 | rm -r "${TEMPDIR}"</literal>
|
---|
240 | EOF
|
---|
241 |
|
---|
242 | chmod +x /usr/bin/make-ca.sh</userinput></screen>
|
---|
243 |
|
---|
244 | <para>Add a short script to remove expired certificates from a directory.
|
---|
245 | Again create this script as the <systemitem
|
---|
246 | class="username">root</systemitem> user:</para>
|
---|
247 |
|
---|
248 | <screen role="root"><userinput>cat > /usr/bin/remove-expired-certs.sh << "EOF"
|
---|
249 | <literal>#!/bin/sh
|
---|
250 | # Begin /usr/bin/remove-expired-certs.sh
|
---|
251 | #
|
---|
252 | # Version 20120211
|
---|
253 |
|
---|
254 | # Make sure the date is parsed correctly on all systems
|
---|
255 | mydate()
|
---|
256 | {
|
---|
257 | local y=$( echo $1 | cut -d" " -f4 )
|
---|
258 | local M=$( echo $1 | cut -d" " -f1 )
|
---|
259 | local d=$( echo $1 | cut -d" " -f2 )
|
---|
260 | local m
|
---|
261 |
|
---|
262 | if [ ${d} -lt 10 ]; then d="0${d}"; fi
|
---|
263 |
|
---|
264 | case $M in
|
---|
265 | Jan) m="01";;
|
---|
266 | Feb) m="02";;
|
---|
267 | Mar) m="03";;
|
---|
268 | Apr) m="04";;
|
---|
269 | May) m="05";;
|
---|
270 | Jun) m="06";;
|
---|
271 | Jul) m="07";;
|
---|
272 | Aug) m="08";;
|
---|
273 | Sep) m="09";;
|
---|
274 | Oct) m="10";;
|
---|
275 | Nov) m="11";;
|
---|
276 | Dec) m="12";;
|
---|
277 | esac
|
---|
278 |
|
---|
279 | certdate="${y}${m}${d}"
|
---|
280 | }
|
---|
281 |
|
---|
282 | OPENSSL=/usr/bin/openssl
|
---|
283 | DIR=/etc/ssl/certs
|
---|
284 |
|
---|
285 | if [ $# -gt 0 ]; then
|
---|
286 | DIR="$1"
|
---|
287 | fi
|
---|
288 |
|
---|
289 | certs=$( find ${DIR} -type f -name "*.pem" -o -name "*.crt" )
|
---|
290 | today=$( date +%Y%m%d )
|
---|
291 |
|
---|
292 | for cert in $certs; do
|
---|
293 | notafter=$( $OPENSSL x509 -enddate -in "${cert}" -noout )
|
---|
294 | date=$( echo ${notafter} | sed 's/^notAfter=//' )
|
---|
295 | mydate "$date"
|
---|
296 |
|
---|
297 | if [ ${certdate} -lt ${today} ]; then
|
---|
298 | echo "${cert} expired on ${certdate}! Removing..."
|
---|
299 | rm -f "${cert}"
|
---|
300 | fi
|
---|
301 | done</literal>
|
---|
302 | EOF
|
---|
303 |
|
---|
304 | chmod +x /usr/bin/remove-expired-certs.sh</userinput></screen>
|
---|
305 |
|
---|
306 | <para>The following commands will fetch the certificates and convert them to
|
---|
307 | the correct format. If desired, a web browser may be used instead of
|
---|
308 | <application>wget</application> but the file will need to be saved with the
|
---|
309 | name <filename>certdata.txt</filename>. These commands can be repeated as
|
---|
310 | necessary to update the CA Certificates.</para>
|
---|
311 |
|
---|
312 | <screen><userinput>URL=&sources-anduin-other-http;/certdata.txt &&
|
---|
313 | rm -f certdata.txt &&
|
---|
314 | wget $URL &&
|
---|
315 | make-ca.sh &&
|
---|
316 | remove-expired-certs.sh certs &&
|
---|
317 | unset URL</userinput></screen>
|
---|
318 |
|
---|
319 | <para>Now, as the <systemitem class="username">root</systemitem> user:</para>
|
---|
320 |
|
---|
321 | <screen role="root"><userinput>SSLDIR=/etc/ssl &&
|
---|
322 | install -d ${SSLDIR}/certs &&
|
---|
323 | cp -v certs/*.pem ${SSLDIR}/certs &&
|
---|
324 | c_rehash &&
|
---|
325 | install BLFS-ca-bundle*.crt ${SSLDIR}/ca-bundle.crt &&
|
---|
326 | ln -sfv ../ca-bundle.crt ${SSLDIR}/certs/ca-certificates.crt &&
|
---|
327 | unset SSLDIR</userinput></screen>
|
---|
328 |
|
---|
329 | <para>Finally, clean up the current directory:</para>
|
---|
330 |
|
---|
331 | <screen><userinput>rm -r certs BLFS-ca-bundle*</userinput></screen>
|
---|
332 |
|
---|
333 | <para>After installing or updating certificates, if OpenJDK is installed,
|
---|
334 | update the certificates for Java using the procedures at <xref linkend='ojdk-certs'/>.</para>
|
---|
335 |
|
---|
336 |
|
---|
337 | </sect2>
|
---|
338 |
|
---|
339 | <sect2 role="content">
|
---|
340 | <title>Contents</title>
|
---|
341 |
|
---|
342 | <segmentedlist>
|
---|
343 | <segtitle>Installed Programs</segtitle>
|
---|
344 | <segtitle>Installed Libraries</segtitle>
|
---|
345 | <segtitle>Installed Directories</segtitle>
|
---|
346 |
|
---|
347 | <seglistitem>
|
---|
348 | <seg>make-ca.sh, make-cert.pl and remove-expired-certs.sh</seg>
|
---|
349 | <seg>None</seg>
|
---|
350 | <seg>/etc/ssl/certs</seg>
|
---|
351 | </seglistitem>
|
---|
352 | </segmentedlist>
|
---|
353 |
|
---|
354 | <variablelist>
|
---|
355 | <bridgehead renderas="sect3">Short Descriptions</bridgehead>
|
---|
356 | <?dbfo list-presentation="list"?>
|
---|
357 | <?dbhtml list-presentation="table"?>
|
---|
358 |
|
---|
359 | <varlistentry id="make-ca">
|
---|
360 | <term><command>make-ca.sh</command></term>
|
---|
361 | <listitem>
|
---|
362 | <para>is a shell script that reformats
|
---|
363 | the <filename>certdata.txt</filename> file for use by
|
---|
364 | <application>openssl</application>.</para>
|
---|
365 | <indexterm zone="cacerts make-ca">
|
---|
366 | <primary sortas="b-make-ca">make-ca</primary>
|
---|
367 | </indexterm>
|
---|
368 | </listitem>
|
---|
369 | </varlistentry>
|
---|
370 |
|
---|
371 | <varlistentry id="make-cert">
|
---|
372 | <term><command>make-cert.pl</command></term>
|
---|
373 | <listitem>
|
---|
374 | <para>is a utility <application>perl</application> script that
|
---|
375 | converts a single binary certificate (.der format) into .pem format.</para>
|
---|
376 | <indexterm zone="cacerts make-cert">
|
---|
377 | <primary sortas="b-make-cert">make-cert</primary>
|
---|
378 | </indexterm>
|
---|
379 | </listitem>
|
---|
380 | </varlistentry>
|
---|
381 |
|
---|
382 | <varlistentry id="remove-expired-certs">
|
---|
383 | <term><command>remove-expired-certs.sh</command></term>
|
---|
384 | <listitem>
|
---|
385 | <para>is a utility <application>perl</application> script that
|
---|
386 | removes expired certificates from a directory. The default
|
---|
387 | directory is <filename class='directory'>/etc/ssl/certs</filename>.</para>
|
---|
388 | <indexterm zone="cacerts remove-expired-certs">
|
---|
389 | <primary sortas="b-remove-expired-certs">remove-expired-certs</primary>
|
---|
390 | </indexterm>
|
---|
391 | </listitem>
|
---|
392 | </varlistentry>
|
---|
393 | </variablelist>
|
---|
394 |
|
---|
395 | </sect2>
|
---|
396 | </sect1>
|
---|