1 | <?xml version="1.0" encoding="ISO-8859-1"?>
|
---|
2 | <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
---|
3 | "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
---|
4 | <!ENTITY % general-entities SYSTEM "../../general.ent">
|
---|
5 | %general-entities;
|
---|
6 |
|
---|
7 | <!ENTITY certhost "https://hg.mozilla.org/">
|
---|
8 | <!ENTITY certpath "/lib/ckfw/builtins/certdata.txt">
|
---|
9 | <!ENTITY ca-bundle-download "&sources-anduin-http;/other/certdata.txt">
|
---|
10 | <!ENTITY ca-bundle-size "1.6 MB">
|
---|
11 | <!ENTITY cacerts-buildsize "6.5 MB (with all runtime deps)">
|
---|
12 | <!ENTITY cacerts-time "0.2 SBU (with all runtime deps)">
|
---|
13 |
|
---|
14 | <!ENTITY make-ca-download "&sources-anduin-http;/other/make-ca.sh-&make-ca-version;">
|
---|
15 | <!ENTITY make-ca-size "24 KB">
|
---|
16 | <!ENTITY make-ca-md5sum "a21a04d6ff5c4645c748220dbaa9f221">
|
---|
17 | ]>
|
---|
18 |
|
---|
19 | <sect1 id="cacerts" xreflabel="Certificate Authority Certificates">
|
---|
20 | <?dbhtml filename="cacerts.html"?>
|
---|
21 |
|
---|
22 | <sect1info>
|
---|
23 | <othername>$LastChangedBy$</othername>
|
---|
24 | <date>$Date$</date>
|
---|
25 | </sect1info>
|
---|
26 |
|
---|
27 | <title>Certificate Authority Certificates</title>
|
---|
28 |
|
---|
29 | <para>Public Key Infrastructure (PKI) is a method to validate the
|
---|
30 | authenticity of an otherwise unknown entity across untrusted networks. PKI
|
---|
31 | works by establishing a chain of trust, rather than trusting each individual
|
---|
32 | host or entity explicitly. In order for a certificate presented by a remote
|
---|
33 | entity to be trusted, that certificate must present a complete chain of
|
---|
34 | certificates that can be validated using the root certificate of a
|
---|
35 | Certificate Authority (CA) that is trusted by the local machine.</para>
|
---|
36 |
|
---|
37 | <para>Establishing trust with a CA involves validating things like company
|
---|
38 | address, ownership, contact information, etc., and ensuring that the CA has
|
---|
39 | followed best practices, such as undergoing periodic security audits by
|
---|
40 | independent investigators and maintaining an always available certificate
|
---|
41 | revocation list. This is well outside the scope of BLFS (as it is for most
|
---|
42 | Linux distributions). The certificate store provided here is taken from the
|
---|
43 | Mozilla Foundation, who have established very strict inclusion policies
|
---|
44 | described
|
---|
45 | <ulink url="https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/">here</ulink>.</para>
|
---|
46 |
|
---|
47 | &lfs80_checked;
|
---|
48 |
|
---|
49 | <indexterm zone="cacerts">
|
---|
50 | <primary sortas="a-cacerts">Certificate Authority Certificates</primary>
|
---|
51 | </indexterm>
|
---|
52 |
|
---|
53 | <sect2 role="package">
|
---|
54 | <title>Introduction to Certificate Authorities</title>
|
---|
55 |
|
---|
56 | <bridgehead renderas="sect3">Package Information</bridgehead>
|
---|
57 | <itemizedlist spacing="compact">
|
---|
58 | <listitem>
|
---|
59 | <para>Download (HTTP): <ulink url="&make-ca-download;"/></para>
|
---|
60 | </listitem>
|
---|
61 | <listitem>
|
---|
62 | <para>Download size: &make-ca-size;</para>
|
---|
63 | </listitem>
|
---|
64 | <listitem>
|
---|
65 | <para>Download MD5 Sum: &make-ca-md5sum;</para>
|
---|
66 | </listitem>
|
---|
67 | <listitem>
|
---|
68 | <para>Estimated disk space required: &cacerts-buildsize;</para>
|
---|
69 | </listitem>
|
---|
70 | <listitem>
|
---|
71 | <para>Estimated build time: &cacerts-time;</para>
|
---|
72 | </listitem>
|
---|
73 | </itemizedlist>
|
---|
74 |
|
---|
75 |
|
---|
76 | <bridgehead renderas="sect3">Additional Downloads</bridgehead>
|
---|
77 | <itemizedlist spacing="compact">
|
---|
78 | <listitem>
|
---|
79 | <para>
|
---|
80 | CA Certificates
|
---|
81 | <ulink url="&ca-bundle-download;"/>
|
---|
82 | </para>
|
---|
83 | </listitem>
|
---|
84 | </itemizedlist>
|
---|
85 |
|
---|
86 | <bridgehead renderas="sect3">Certificate Authority Certificates Dependencies</bridgehead>
|
---|
87 |
|
---|
88 | <bridgehead renderas="sect4">Required</bridgehead>
|
---|
89 | <para role="required"><xref linkend="openssl"/></para>
|
---|
90 |
|
---|
91 | <bridgehead renderas="sect4">Optional (runtime)</bridgehead>
|
---|
92 | <para role="optional">
|
---|
93 | <xref linkend="java"/> or <xref linkend="openjdk"/>,
|
---|
94 | <xref linkend="nss"/>, and
|
---|
95 | <xref linkend="p11-kit"/></para>
|
---|
96 |
|
---|
97 | <para condition="html" role="usernotes">User Notes:
|
---|
98 | <ulink url='&blfs-wiki;/cacerts'/></para>
|
---|
99 | </sect2>
|
---|
100 |
|
---|
101 | <sect2 role="installation">
|
---|
102 | <title>Installation of Certificate Authority Certificates</title>
|
---|
103 |
|
---|
104 | <para>The <application>make-ca.sh</application> script will process the
|
---|
105 | certificates included in the <filename>certdata.txt</filename> file
|
---|
106 | for use in multiple certificate stores (if the associated applications are
|
---|
107 | present on the system). Additionally, any local certificates stored in
|
---|
108 | <filename>/etc/ssl/local</filename> will be imported to the certificate
|
---|
109 | stores. Certificates in this directory should be stored as PEM encoded
|
---|
110 | <application>OpenSSL</application> trusted certificates.</para>
|
---|
111 |
|
---|
112 | <para>To create an <application>OpenSSL</application> trusted certificate
|
---|
113 | from a regular PEM encoded file, provided by a CA not included in Mozilla's
|
---|
114 | certificate distribution, you need to add trust arguments to the
|
---|
115 | <command>openssl</command> command, and create a new certificate. There are
|
---|
116 | three trust types that are recognized by the
|
---|
117 | <application>make-ca.sh</application> script, SSL/TLS, S/Mime, and code
|
---|
118 | signing. For example, using the
|
---|
119 | <ulink url="http://www.cacert.org/">CAcert</ulink> root, if you want it to
|
---|
120 | be trusted for all three roles, the following commands will create an
|
---|
121 | appropriate OpenSSL trusted certificate:</para>
|
---|
122 |
|
---|
123 | <screen role="root"><userinput>install -vdm755 /etc/ssl/local &&
|
---|
124 | wget http://www.cacert.org/certs/root.crt &&
|
---|
125 | openssl x509 -in root.crt -text -fingerprint -setalias "CAcert Class 1 root" \
|
---|
126 | -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
|
---|
127 | > /etc/ssl/local/CAcert_Class_1_root.pem</userinput></screen>
|
---|
128 |
|
---|
129 | <para>If one of the three trust arguments is omitted, the certificate is
|
---|
130 | neither trusted, nor rejected for that role. Clients that use
|
---|
131 | <application>OpenSSL</application> or <application>NSS</application>
|
---|
132 | encountering this certificate will present a warning to the user. Clients
|
---|
133 | using <application>GnuTLS</application> without
|
---|
134 | <application>p11-kit</application> support are not aware of trusted
|
---|
135 | certificates. To include this CA into the ca-bundle.crt (used for
|
---|
136 | <application>GnuTLS</application>), it must have <envar>serverAuth</envar>
|
---|
137 | trust. Additionally, to explicitly disallow a certificate for a particular
|
---|
138 | use, replace the <parameter>-addtrust</parameter> flag with the
|
---|
139 | <parameter>-addreject</parameter> flag.</para>
|
---|
140 |
|
---|
141 | <para>To install the various certificate stores, first install the
|
---|
142 | <application>make-ca.sh</application> script into the correct location.
|
---|
143 | As the <systemitem class="username">root</systemitem> user:</para>
|
---|
144 |
|
---|
145 | <screen role="root"><userinput>install -vm755 make-ca.sh-&make-ca-version; /usr/sbin/make-ca.sh</userinput></screen>
|
---|
146 |
|
---|
147 | <para>As the <systemitem class="username">root</systemitem> user, make sure
|
---|
148 | that certdata.txt is in the current directory, and update the certificate
|
---|
149 | stores with the following command:</para>
|
---|
150 |
|
---|
151 | <screen role="root"><userinput>/usr/sbin/make-ca.sh</userinput></screen>
|
---|
152 |
|
---|
153 | <para>You should periodically download a copy of
|
---|
154 | <filename>certdata.txt</filename> and run the
|
---|
155 | <application>make-ca.sh</application> script (as the
|
---|
156 | <systemitem class="username">root</systemitem> user), or as part of a
|
---|
157 | monthly <application>cron</application> job to ensure that you have the
|
---|
158 | latest available version of the certificates.</para>
|
---|
159 |
|
---|
160 | <note>
|
---|
161 | <para>If running the script a second time with the same version of
|
---|
162 | <filename>certdata.txt</filename>, for instance, to add additional stores
|
---|
163 | as the requisite software is installed, add the <parameter>-f</parameter>
|
---|
164 | switch to the command line. If packaging, run <command>make-ca.sh
|
---|
165 | --help</command> to see all available command line options.</para>
|
---|
166 | </note>
|
---|
167 |
|
---|
168 | <para>The <filename>certdata.txt</filename> file provided by BLFS is
|
---|
169 | obtained from the mozilla-release branch, and is modified to provide a
|
---|
170 | simple dated revision. This will be the correct version for most
|
---|
171 | systems. There are, however, several other variants of the file available
|
---|
172 | for use that might be preferred for one reason or another, including the
|
---|
173 | files shipped with Mozilla products in this book. RedHat and OpenSUSE,
|
---|
174 | for instance, use the version included in <xref linkend="nss"/>. Additional
|
---|
175 | upstream downloads are available at the links below.</para>
|
---|
176 |
|
---|
177 | <itemizedlist spacing="compact">
|
---|
178 | <listitem>
|
---|
179 | <para>Mozilla Release (the version provided by BLFS):
|
---|
180 | <ulink url="&certhost;releases/mozilla-release/raw-file/default/security/nss&certpath;"/>
|
---|
181 | </para>
|
---|
182 | </listitem>
|
---|
183 | <listitem>
|
---|
184 | <para>NSS (this is the latest available version):
|
---|
185 | <ulink url="&certhost;projects/nss/raw-file/tip&certpath;"/>
|
---|
186 | </para>
|
---|
187 | </listitem>
|
---|
188 | <listitem>
|
---|
189 | <para>Mozilla Central:
|
---|
190 | <ulink url="&certhost;mozilla-central/raw-file/default/security/nss&certpath;"/>
|
---|
191 | </para>
|
---|
192 | </listitem>
|
---|
193 | <listitem>
|
---|
194 | <para>Mozilla Beta:
|
---|
195 | <ulink url="&certhost;releases/mozilla-beta/raw-file/default/security/nss&certpath;"/>
|
---|
196 | </para>
|
---|
197 | </listitem>
|
---|
198 | <listitem>
|
---|
199 | <para>Mozilla Aurora:
|
---|
200 | <ulink url="&certhost;releases/mozilla-aurora/raw-file/default/security/nss&certpath;"/>
|
---|
201 | </para>
|
---|
202 | </listitem>
|
---|
203 | </itemizedlist>
|
---|
204 |
|
---|
205 | </sect2>
|
---|
206 |
|
---|
207 | <sect2 role="content">
|
---|
208 | <title>Contents</title>
|
---|
209 |
|
---|
210 | <segmentedlist>
|
---|
211 | <segtitle>Installed Programs</segtitle>
|
---|
212 | <segtitle>Installed Libraries</segtitle>
|
---|
213 | <segtitle>Installed Directories</segtitle>
|
---|
214 |
|
---|
215 | <seglistitem>
|
---|
216 | <seg>make-ca.sh</seg>
|
---|
217 | <seg>None</seg>
|
---|
218 | <seg>/etc/ssl/{certs,java,local} and /etc/pki/{nssdb,anchors}</seg>
|
---|
219 | </seglistitem>
|
---|
220 | </segmentedlist>
|
---|
221 |
|
---|
222 | <variablelist>
|
---|
223 | <bridgehead renderas="sect3">Short Descriptions</bridgehead>
|
---|
224 | <?dbfo list-presentation="list"?>
|
---|
225 | <?dbhtml list-presentation="table"?>
|
---|
226 |
|
---|
227 | <varlistentry id="make-ca">
|
---|
228 | <term><command>make-ca.sh</command></term>
|
---|
229 | <listitem>
|
---|
230 | <para>is a shell script that adapts a current version of
|
---|
231 | <filename>certdata.txt</filename>, and prepares it for use
|
---|
232 | as the system certificate store.</para>
|
---|
233 | <indexterm zone="cacerts make-ca">
|
---|
234 | <primary sortas="b-make-ca">make-ca</primary>
|
---|
235 | </indexterm>
|
---|
236 | </listitem>
|
---|
237 | </varlistentry>
|
---|
238 | </variablelist>
|
---|
239 |
|
---|
240 | </sect2>
|
---|
241 | </sect1>
|
---|