source: postlfs/security/cacerts.xml@ 92dea9ae

10.0 10.1 11.0 11.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind lazarus perl-modules qt5new trunk upgradedb xry111/intltool xry111/test-20220226
Last change on this file since 92dea9ae was 92dea9ae, checked in by DJ Lucas <dj@…>, 5 years ago

Update to make-ca-0.6.
Update to Systemd-235.
Update to D-Bus-1.10.24. Fixes #9817.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@19333 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 9.9 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY certhost "https://hg.mozilla.org/">
8 <!ENTITY certpath "/lib/ckfw/builtins/certdata.txt">
9 <!ENTITY cacerts-buildsize "6.5 MB (with all runtime deps)">
10 <!ENTITY cacerts-time "0.2 SBU (with all runtime deps)">
11
12 <!ENTITY make-ca-download "https://github.com/djlucas/make-ca/archive/v&make-ca-version;/make-ca-&make-ca-version;.tar.gz">
13 <!ENTITY make-ca-size "36 KB">
14 <!ENTITY make-ca-md5sum "851f9e267f343c54db8caa87ec5b3d75">
15]>
16
17<sect1 id="cacerts" xreflabel="Certificate Authority Certificates">
18 <?dbhtml filename="cacerts.html"?>
19
20 <sect1info>
21 <othername>$LastChangedBy$</othername>
22 <date>$Date$</date>
23 </sect1info>
24
25 <title>Certificate Authority Certificates</title>
26
27 <para>Public Key Infrastructure (PKI) is a method to validate the
28 authenticity of an otherwise unknown entity across untrusted networks. PKI
29 works by establishing a chain of trust, rather than trusting each individual
30 host or entity explicitly. In order for a certificate presented by a remote
31 entity to be trusted, that certificate must present a complete chain of
32 certificates that can be validated using the root certificate of a
33 Certificate Authority (CA) that is trusted by the local machine.</para>
34
35 <para>Establishing trust with a CA involves validating things like company
36 address, ownership, contact information, etc., and ensuring that the CA has
37 followed best practices, such as undergoing periodic security audits by
38 independent investigators and maintaining an always available certificate
39 revocation list. This is well outside the scope of BLFS (as it is for most
40 Linux distributions). The certificate store provided here is taken from the
41 Mozilla Foundation, who have established very strict inclusion policies
42 described
43 <ulink url="https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/">here</ulink>.</para>
44
45 &lfs81_checked;
46
47 <indexterm zone="cacerts">
48 <primary sortas="a-cacerts">Certificate Authority Certificates</primary>
49 </indexterm>
50
51 <sect2 role="package">
52 <title>Introduction to Certificate Authorities</title>
53
54 <bridgehead renderas="sect3">Package Information</bridgehead>
55 <itemizedlist spacing="compact">
56 <listitem>
57 <para>Download (HTTP): <ulink url="&make-ca-download;"/></para>
58 </listitem>
59 <listitem>
60 <para>Download size: &make-ca-size;</para>
61 </listitem>
62 <listitem>
63 <para>Download MD5 Sum: &make-ca-md5sum;</para>
64 </listitem>
65 <listitem>
66 <para>Estimated disk space required: &cacerts-buildsize;</para>
67 </listitem>
68 <listitem>
69 <para>Estimated build time: &cacerts-time;</para>
70 </listitem>
71 </itemizedlist>
72
73 <bridgehead renderas="sect3">Certificate Authority Certificates Dependencies</bridgehead>
74
75 <bridgehead renderas="sect4">Required</bridgehead>
76 <para role="required"><xref linkend="openssl"/></para>
77
78 <bridgehead renderas="sect4">Optional (runtime)</bridgehead>
79 <para role="optional">
80 <xref role="runtime" linkend="java"/> or
81 <xref role="runtime" linkend="openjdk"/>,
82 <xref role="runtime" linkend="nss"/>, and
83 <xref role="runtime" linkend="p11-kit"/>
84 </para>
85
86 <para condition="html" role="usernotes">User Notes:
87 <ulink url='&blfs-wiki;/cacerts'/></para>
88 </sect2>
89
90 <sect2 role="installation">
91 <title>Installation of Certificate Authority Certificates</title>
92
93 <para>The <application>make-ca</application> script will download and
94 process the certificates included in the <filename>certdata.txt</filename>
95 file for use in multiple certificate stores (if the associated applications
96 are present on the system). Additionally, any local certificates stored in
97 <filename>/etc/ssl/local</filename> will be imported to the certificate
98 stores. Certificates in this directory should be stored as PEM encoded
99 <application>OpenSSL</application> trusted certificates.</para>
100
101 <para>To create an <application>OpenSSL</application> trusted certificate
102 from a regular PEM encoded file, you need to add trust arguments to the
103 <command>openssl</command> command, and create a new certificate. There are
104 three trust types that are recognized by the
105 <application>make-ca</application> script, SSL/TLS, S/Mime, and code
106 signing. For example, using the
107 <ulink url="http://www.cacert.org/">CAcert</ulink> roots, if you want to
108 trust both for all three roles, the following commands will create
109 appropriate OpenSSL trusted certificates:</para>
110
111<screen role="root"><userinput>install -vdm755 /etc/ssl/local &amp;&amp;
112wget http://www.cacert.org/certs/root.crt &amp;&amp;
113wget http://www.cacert.org/certs/class3.crt &amp;&amp;
114openssl x509 -in root.crt -text -fingerprint -setalias "CAcert Class 1 root" \
115 -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
116 > /etc/ssl/local/CAcert_Class_1_root.pem &amp;&amp;
117openssl x509 -in class3.crt -text -fingerprint -setalias "CAcert Class 3 root" \
118 -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
119 > /etc/ssl/local/CAcert_Class_3_root.pem</userinput></screen>
120
121 <para>If one of the three trust arguments is omitted, the certificate is
122 neither trusted, nor rejected for that role. Clients that use
123 <application>OpenSSL</application> or <application>NSS</application>
124 encountering this certificate will present a warning to the user. Clients
125 using <application>GnuTLS</application> without
126 <application>p11-kit</application> support are not aware of trusted
127 certificates. To include this CA into the ca-bundle.crt (used for
128 <application>GnuTLS</application>), it must have <envar>serverAuth</envar>
129 trust. Additionally, to explicitly disallow a certificate for a particular
130 use, replace the <parameter>-addtrust</parameter> flag with the
131 <parameter>-addreject</parameter> flag.</para>
132
133 <para>To install the various certificate stores, first install the
134 <application>make-ca</application> script into the correct location.
135 As the <systemitem class="username">root</systemitem> user:</para>
136
137<screen role="root"><userinput>make install</userinput></screen>
138
139 <para>As the <systemitem class="username">root</systemitem> user, download
140 and update the certificate stores with the following command:</para>
141
142 <note>
143 <para>If running the script a second time with the same version of
144 <filename>certdata.txt</filename>, for instance, to add additional stores
145 as the requisite software is installed, add the <parameter>-f</parameter>
146 switch to the command line. If packaging, run <command>make-ca
147 --help</command> to see all available command line options.</para>
148 </note>
149
150<screen role="root"><userinput>/usr/sbin/make-ca -g</userinput></screen>
151
152 <para>You should periodically update the store with the above command
153 either manually, or via a <phrase revision="sysv">cron job.</phrase>
154 <phrase revision="systemd">systemd timer. A timer is installed at
155 <filename>/etc/systemd/system/update-pki.timer</filename> that, if enabled,
156 will check for updates weekly.</phrase></para>
157
158 <para>The default <filename>certdata.txt</filename> file provided by make-ca
159 is obtained from the mozilla-release branch, and is modified to provide a
160 Mercurial revision. This will be the correct version for most
161 systems. There are, however, several other variants of the file available
162 for use that might be preferred for one reason or another, including the
163 files shipped with Mozilla products in this book. RedHat and OpenSUSE,
164 for instance, use the version included in <xref linkend="nss"/>. Additional
165 upstream downloads are available at the links below.</para>
166
167 <itemizedlist spacing="compact">
168 <listitem>
169 <para>Mozilla Release (the version provided by BLFS):
170 <ulink url="&certhost;releases/mozilla-release/raw-file/default/security/nss&certpath;"/>
171 </para>
172 </listitem>
173 <listitem>
174 <para>NSS (this is the latest available version):
175 <ulink url="&certhost;projects/nss/raw-file/tip&certpath;"/>
176 </para>
177 </listitem>
178 <listitem>
179 <para>Mozilla Central:
180 <ulink url="&certhost;mozilla-central/raw-file/default/security/nss&certpath;"/>
181 </para>
182 </listitem>
183 <listitem>
184 <para>Mozilla Beta:
185 <ulink url="&certhost;releases/mozilla-beta/raw-file/default/security/nss&certpath;"/>
186 </para>
187 </listitem>
188 <listitem>
189 <para>Mozilla Aurora:
190 <ulink url="&certhost;releases/mozilla-aurora/raw-file/default/security/nss&certpath;"/>
191 </para>
192 </listitem>
193 </itemizedlist>
194
195 </sect2>
196
197 <sect2 role="content">
198 <title>Contents</title>
199
200 <segmentedlist>
201 <segtitle>Installed Programs</segtitle>
202 <segtitle>Installed Libraries</segtitle>
203 <segtitle>Installed Directories</segtitle>
204
205 <seglistitem>
206 <seg>make-ca</seg>
207 <seg>None</seg>
208 <seg>/etc/ssl/{certs,java,local} and /etc/pki/{nssdb,anchors}</seg>
209 </seglistitem>
210 </segmentedlist>
211
212 <variablelist>
213 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
214 <?dbfo list-presentation="list"?>
215 <?dbhtml list-presentation="table"?>
216
217 <varlistentry id="make-ca">
218 <term><command>make-ca</command></term>
219 <listitem>
220 <para>is a shell script that adapts a current version of
221 <filename>certdata.txt</filename>, and prepares it for use
222 as the system certificate store.</para>
223 <indexterm zone="cacerts make-ca">
224 <primary sortas="b-make-ca">make-ca</primary>
225 </indexterm>
226 </listitem>
227 </varlistentry>
228 </variablelist>
229
230 </sect2>
231</sect1>
Note: See TracBrowser for help on using the repository browser.