[c9b953e6] | 1 | <?xml version="1.0" encoding="ISO-8859-1"?>
|
---|
| 2 | <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
---|
| 3 | "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
---|
| 4 | <!ENTITY % general-entities SYSTEM "../../general.ent">
|
---|
| 5 | %general-entities;
|
---|
| 6 |
|
---|
[4a16903] | 7 | <!ENTITY certhost "https://hg.mozilla.org/">
|
---|
| 8 | <!ENTITY certpath "/lib/ckfw/builtins/certdata.txt">
|
---|
[2198a32] | 9 | <!ENTITY make-ca-buildsize "6.6 MB (with all runtime deps)">
|
---|
[c1cd435e] | 10 | <!ENTITY make-ca-time "0.1 SBU (with all runtime deps)">
|
---|
[4a16903] | 11 |
|
---|
[5c3f3856] | 12 | <!ENTITY make-ca-download "https://github.com/djlucas/make-ca/releases/download/v&make-ca-version;/make-ca-&make-ca-version;.tar.xz">
|
---|
[810753b0] | 13 | <!ENTITY make-ca-size "28.5 KB">
|
---|
| 14 | <!ENTITY make-ca-md5sum "e0356f5ae5623f227a3f69b5e8848ec6">
|
---|
[c9b953e6] | 15 | ]>
|
---|
| 16 |
|
---|
[697e6ca5] | 17 | <sect1 id="make-ca" xreflabel="make-ca-&make-ca-version;">
|
---|
[2198a32] | 18 | <?dbhtml filename="make-ca.html"?>
|
---|
[c9b953e6] | 19 |
|
---|
| 20 | <sect1info>
|
---|
| 21 | <othername>$LastChangedBy$</othername>
|
---|
| 22 | <date>$Date$</date>
|
---|
| 23 | </sect1info>
|
---|
| 24 |
|
---|
[697e6ca5] | 25 | <title>make-ca-&make-ca-version;</title>
|
---|
[2198a32] | 26 | <indexterm zone="make-ca">
|
---|
| 27 | <primary sortas="a-make-ca">make-ca</primary>
|
---|
[c9b953e6] | 28 | </indexterm>
|
---|
| 29 |
|
---|
| 30 | <sect2 role="package">
|
---|
[2198a32] | 31 | <title>Introduction to make-ca</title>
|
---|
[c9b953e6] | 32 |
|
---|
[697e6ca5] | 33 | <para>
|
---|
| 34 | Public Key Infrastructure (PKI) is a method to validate the authenticity
|
---|
| 35 | of an otherwise unknown entity across untrusted networks. PKI works by
|
---|
| 36 | establishing a chain of trust, rather than trusting each individual host
|
---|
| 37 | or entity explicitly. In order for a certificate presented by a remote
|
---|
| 38 | entity to be trusted, that certificate must present a complete chain of
|
---|
| 39 | certificates that can be validated using the root certificate of a
|
---|
| 40 | Certificate Authority (CA) that is trusted by the local machine.
|
---|
| 41 | </para>
|
---|
| 42 |
|
---|
| 43 | <para>
|
---|
| 44 | Establishing trust with a CA involves validating things like company
|
---|
| 45 | address, ownership, contact information, etc., and ensuring that the CA
|
---|
| 46 | has followed best practices, such as undergoing periodic security audits
|
---|
| 47 | by independent investigators and maintaining an always available
|
---|
| 48 | certificate revocation list. This is well outside the scope of BLFS (as
|
---|
| 49 | it is for most Linux distributions). The certificate store provided here
|
---|
| 50 | is taken from the Mozilla Foundation, who have established very strict
|
---|
| 51 | inclusion policies described <ulink
|
---|
| 52 | url="https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/">here</ulink>.
|
---|
| 53 | </para>
|
---|
| 54 |
|
---|
[9873d1ea] | 55 | &lfs10_checked;
|
---|
[697e6ca5] | 56 |
|
---|
| 57 | <bridgehead renderas="sect3">Package Information</bridgehead>
|
---|
[c9b953e6] | 58 | <itemizedlist spacing="compact">
|
---|
| 59 | <listitem>
|
---|
[47274444] | 60 | <para>
|
---|
| 61 | Download (HTTP): <ulink url="&make-ca-download;"/>
|
---|
| 62 | </para>
|
---|
[c9b953e6] | 63 | </listitem>
|
---|
| 64 | <listitem>
|
---|
[47274444] | 65 | <para>
|
---|
| 66 | Download size: &make-ca-size;
|
---|
| 67 | </para>
|
---|
[30b7db74] | 68 | </listitem>
|
---|
| 69 | <listitem>
|
---|
[47274444] | 70 | <para>
|
---|
| 71 | Download MD5 Sum: &make-ca-md5sum;
|
---|
| 72 | </para>
|
---|
[c9b953e6] | 73 | </listitem>
|
---|
| 74 | <listitem>
|
---|
[47274444] | 75 | <para>
|
---|
| 76 | Estimated disk space required: &make-ca-buildsize;
|
---|
| 77 | </para>
|
---|
[c9b953e6] | 78 | </listitem>
|
---|
| 79 | <listitem>
|
---|
[47274444] | 80 | <para>
|
---|
| 81 | Estimated build time: &make-ca-time;
|
---|
| 82 | </para>
|
---|
[c9b953e6] | 83 | </listitem>
|
---|
| 84 | </itemizedlist>
|
---|
| 85 |
|
---|
[2198a32] | 86 | <bridgehead renderas="sect3">make-ca Dependencies</bridgehead>
|
---|
[c1cd435e] | 87 |
|
---|
[95378e8] | 88 | <bridgehead renderas="sect4">Required</bridgehead>
|
---|
[47274444] | 89 | <para role="required">
|
---|
| 90 | <xref linkend="p11-kit"/> (required at runtime to
|
---|
| 91 | generate certificate stores from trust anchors)
|
---|
| 92 | </para>
|
---|
[95378e8] | 93 | <!-- /usr/bin/trust is needed to extract the certs to /etc/ssl/certs -->
|
---|
[c1cd435e] | 94 |
|
---|
[4a16903] | 95 | <bridgehead renderas="sect4">Optional (runtime)</bridgehead>
|
---|
| 96 | <para role="optional">
|
---|
[21a08bf] | 97 | <xref role="runtime" linkend="nss"/> (to generate a shared NSSDB)
|
---|
[96e9478] | 98 | </para>
|
---|
[c9b953e6] | 99 |
|
---|
| 100 | <para condition="html" role="usernotes">User Notes:
|
---|
[2198a32] | 101 | <ulink url='&blfs-wiki;/make-ca'/></para>
|
---|
[c9b953e6] | 102 | </sect2>
|
---|
| 103 |
|
---|
| 104 | <sect2 role="installation">
|
---|
[2198a32] | 105 | <title>Installation of make-ca</title>
|
---|
[c9b953e6] | 106 |
|
---|
[47274444] | 107 | <para>
|
---|
| 108 | The <application>make-ca</application> script will download and process
|
---|
| 109 | the certificates included in the <filename>certdata.txt</filename> file
|
---|
| 110 | for use as trust anchors for the <xref linkend="p11-kit"/> trust module.
|
---|
| 111 | Additionally, it will generate system certificate stores used by BLFS
|
---|
| 112 | applications (if the recommended and optional applications are present
|
---|
| 113 | on the system). Any local certificates stored in
|
---|
| 114 | <filename>/etc/ssl/local</filename> will be imported to both the trust
|
---|
| 115 | anchors and the generated certificate stores (overriding Mozilla's
|
---|
| 116 | trust). Additionally, any modified trust values will be copied from the
|
---|
| 117 | trust anchors to <filename>/etc/ssl/local</filename> prior to any
|
---|
| 118 | updates, preserving custom trust values that differ from Mozilla when
|
---|
| 119 | using the <command>trust</command> utility from
|
---|
| 120 | <application>p11-kit</application> to operate on the trust store.
|
---|
| 121 | </para>
|
---|
| 122 |
|
---|
| 123 | <para>
|
---|
| 124 | To install the various certificate stores, first install the
|
---|
| 125 | <application>make-ca</application> script into the correct location.
|
---|
| 126 | As the <systemitem class="username">root</systemitem> user:
|
---|
| 127 | </para>
|
---|
[4a16903] | 128 |
|
---|
[254e3bf] | 129 | <screen role="root"><userinput>make install &&
|
---|
| 130 | install -vdm755 /etc/ssl/local</userinput></screen>
|
---|
[4a16903] | 131 |
|
---|
[47274444] | 132 | <para>
|
---|
| 133 | As the <systemitem class="username">root</systemitem> user, after
|
---|
| 134 | installing <xref linkend="p11-kit"/>, download the certificate source and
|
---|
| 135 | prepare for system use with the following command:
|
---|
| 136 | </para>
|
---|
[4a16903] | 137 |
|
---|
[a90ec5a7] | 138 | <note>
|
---|
[47274444] | 139 | <para>
|
---|
| 140 | If running the script a second time with the same version of
|
---|
| 141 | <filename>certdata.txt</filename>, for instance, to add additional
|
---|
| 142 | stores as the requisite software is installed, add the
|
---|
| 143 | <parameter>-r</parameter> switch to the command line. If packaging,
|
---|
| 144 | run <command>make-ca --help</command> to see all available command
|
---|
| 145 | line options.
|
---|
| 146 | </para>
|
---|
[a90ec5a7] | 147 | </note>
|
---|
| 148 |
|
---|
[729e458] | 149 | <screen role="root"><userinput>/usr/sbin/make-ca -g</userinput></screen>
|
---|
[4a16903] | 150 |
|
---|
[47274444] | 151 | <para>
|
---|
| 152 | You should periodically update the store with the above command,
|
---|
| 153 | either manually, or via a <phrase revision="sysv">cron job.</phrase>
|
---|
| 154 | <phrase revision="systemd">systemd timer. A timer is installed at
|
---|
| 155 | <filename>/usr/lib/systemd/system/update-pki.timer</filename> that, if
|
---|
| 156 | enabled, will check for updates weekly.</phrase><phrase
|
---|
| 157 | revision="sysv">If you've installed <xref linkend="fcron"/> and
|
---|
[914dd13] | 158 | completed the section on periodic jobs, execute</phrase> <phrase
|
---|
[47274444] | 159 | revision="systemd">Execute</phrase> the following commands, as the
|
---|
| 160 | <systemitem class="username">root</systemitem> user, to <phrase
|
---|
| 161 | revision="sysv">create a weekly cron job:</phrase><phrase
|
---|
| 162 | revision="systemd">enable the systemd timer:</phrase>
|
---|
[02e3bbc8] | 163 | </para>
|
---|
| 164 |
|
---|
[914dd13] | 165 | <screen role="nodump" revision="sysv"><userinput>cat > /etc/cron.weekly/update-pki.sh << "EOF" &&
|
---|
[02e3bbc8] | 166 | <literal>#!/bin/bash
|
---|
| 167 | /usr/sbin/make-ca -g</literal>
|
---|
| 168 | EOF
|
---|
| 169 | chmod 754 /etc/cron.weekly/update-pki.sh</userinput></screen>
|
---|
| 170 |
|
---|
| 171 | <screen role="root" revision="systemd"><userinput>systemctl enable update-pki.timer</userinput></screen>
|
---|
[4a16903] | 172 |
|
---|
[5c3f3856] | 173 | </sect2>
|
---|
[4a16903] | 174 |
|
---|
[5c3f3856] | 175 | <sect2 role="configuration" id="make-ca-config">
|
---|
| 176 | <title>Configuring make-ca</title>
|
---|
| 177 |
|
---|
[47274444] | 178 | <para>
|
---|
| 179 | For most users, no additional configuration is necessary, however,
|
---|
| 180 | the default <filename>certdata.txt</filename> file provided by make-ca
|
---|
| 181 | is obtained from the mozilla-release branch, and is modified to provide a
|
---|
| 182 | Mercurial revision. This will be the correct version for most systems.
|
---|
| 183 | There are several other variants of the file available for use that might
|
---|
| 184 | be preferred for one reason or another, including the files shipped with
|
---|
| 185 | Mozilla products in this book. RedHat and OpenSUSE, for instance, use the
|
---|
| 186 | version included in <xref linkend="nss"/>. Additional upstream downloads
|
---|
| 187 | are available at the links included in
|
---|
| 188 | <filename>/etc/make-ca.conf.dist</filename>. Simply copy the file to
|
---|
| 189 | <filename>/etc/make-ca.conf</filename> and edit as appropriate.
|
---|
| 190 | </para>
|
---|
[5c3f3856] | 191 |
|
---|
| 192 | <indexterm zone="make-ca make-ca-config">
|
---|
| 193 | <primary sortas="e-etc-make-ca-conf">/etc/make-ca.conf</primary>
|
---|
| 194 | </indexterm>
|
---|
[8b9034a] | 195 |
|
---|
[638a6a4] | 196 | <bridgehead renderas="sect3">About Trust Arguments</bridgehead>
|
---|
| 197 |
|
---|
[47274444] | 198 | <para>
|
---|
| 199 | There are three trust types that are recognized by the
|
---|
| 200 | <application>make-ca</application> script, SSL/TLS, S/Mime, and code
|
---|
| 201 | signing. For <application>OpenSSL</application>, these are
|
---|
| 202 | <parameter>serverAuth</parameter>,
|
---|
| 203 | <parameter>emailProtection</parameter>, and
|
---|
| 204 | <parameter>codeSigning</parameter> respectively. If one of the three
|
---|
| 205 | trust arguments is omitted, the certificate is neither trusted, nor
|
---|
| 206 | rejected for that role. Clients that use
|
---|
| 207 | <application>OpenSSL</application> or <application>NSS</application>
|
---|
| 208 | encountering this certificate will present a warning to the user.
|
---|
| 209 | Clients using
|
---|
| 210 | <application>GnuTLS</application> without
|
---|
| 211 | <application>p11-kit</application> support are not aware of trusted
|
---|
| 212 | certificates. To include this CA into the
|
---|
| 213 | <filename>ca-bundle.crt</filename>,
|
---|
| 214 | <filename>email-ca-bundle.crt</filename>, or
|
---|
| 215 | <filename>objsign-ca-bundle.crt</filename> files
|
---|
| 216 | (the <application>GnuTLS</application> legacy bundles), it must have the
|
---|
| 217 | appropriate trust arguments.
|
---|
| 218 | </para>
|
---|
[638a6a4] | 219 |
|
---|
| 220 | <bridgehead renderas="sect3">Adding Additional CA Certificates</bridgehead>
|
---|
| 221 |
|
---|
[47274444] | 222 | <para>
|
---|
| 223 | The <filename class="directory">/etc/ssl/local</filename> directory
|
---|
| 224 | is available to add additional CA certificates to the system. For
|
---|
| 225 | instance, you might need to add an organization or government CA
|
---|
| 226 | certificate. Files in this directory must be in the
|
---|
| 227 | <application>OpenSSL</application> trusted certificate format. To
|
---|
| 228 | create an <application>OpenSSL</application> trusted certificate from
|
---|
| 229 | a regular PEM encoded file, you need to add trust arguments to the
|
---|
| 230 | <command>openssl</command> command, and create a new certificate. For
|
---|
| 231 | example, using the <ulink url="http://www.cacert.org/">CAcert</ulink>
|
---|
| 232 | roots, if you want to trust both for all three roles, the following
|
---|
| 233 | commands will create appropriate OpenSSL trusted certificates (run as
|
---|
| 234 | the <systemitem class="username">root</systemitem> user after <xref
|
---|
| 235 | linkend="wget"/> is installed):
|
---|
| 236 | </para>
|
---|
[638a6a4] | 237 |
|
---|
[254e3bf] | 238 | <screen role="nodump"><userinput>wget http://www.cacert.org/certs/root.crt &&
|
---|
[638a6a4] | 239 | wget http://www.cacert.org/certs/class3.crt &&
|
---|
| 240 | openssl x509 -in root.crt -text -fingerprint -setalias "CAcert Class 1 root" \
|
---|
| 241 | -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
|
---|
| 242 | > /etc/ssl/local/CAcert_Class_1_root.pem &&
|
---|
| 243 | openssl x509 -in class3.crt -text -fingerprint -setalias "CAcert Class 3 root" \
|
---|
| 244 | -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
|
---|
[254e3bf] | 245 | > /etc/ssl/local/CAcert_Class_3_root.pem &&
|
---|
| 246 | /usr/sbin/make-ca -r -f</userinput></screen>
|
---|
[638a6a4] | 247 |
|
---|
| 248 | <bridgehead renderas="sect3">Overriding Mozilla Trust</bridgehead>
|
---|
| 249 |
|
---|
[47274444] | 250 | <para>
|
---|
| 251 | Occasionally, there may be instances where you don't agree with
|
---|
| 252 | Mozilla's inclusion of a particular certificate authority. If you'd like
|
---|
| 253 | to override the default trust of a particular CA, simply create a copy of
|
---|
| 254 | the existing certificate in <filename
|
---|
| 255 | class="directory">/etc/ssl/local</filename> with different trust
|
---|
| 256 | arguments. For example, if you'd like to distrust the
|
---|
| 257 | "Makebelieve_CA_Root" file, run the following commands:
|
---|
| 258 | </para>
|
---|
[638a6a4] | 259 |
|
---|
[254e3bf] | 260 | <screen role="nodump"><userinput>openssl x509 -in /etc/ssl/certs/Makebelieve_CA_Root.pem \
|
---|
[638a6a4] | 261 | -text \
|
---|
[92897c03] | 262 | -fingerprint \
|
---|
[638a6a4] | 263 | -setalias "Disabled Makebelieve CA Root" \
|
---|
| 264 | -addreject serverAuth \
|
---|
| 265 | -addreject emailProtection \
|
---|
| 266 | -addreject codeSigning \
|
---|
| 267 | > /etc/ssl/local/Disabled_Makebelieve_CA_Root.pem &&
|
---|
| 268 | /usr/sbin/make-ca -r -f</userinput></screen>
|
---|
| 269 |
|
---|
[c9b953e6] | 270 | </sect2>
|
---|
| 271 |
|
---|
| 272 | <sect2 role="content">
|
---|
| 273 | <title>Contents</title>
|
---|
| 274 |
|
---|
| 275 | <segmentedlist>
|
---|
| 276 | <segtitle>Installed Programs</segtitle>
|
---|
| 277 | <segtitle>Installed Directories</segtitle>
|
---|
| 278 |
|
---|
| 279 | <seglistitem>
|
---|
[120b315] | 280 | <seg>make-ca</seg>
|
---|
[28b75d3] | 281 | <seg>/etc/ssl/{certs,local} and
|
---|
| 282 | /etc/pki/{nssdb,anchors,tls/{certs,java}}</seg>
|
---|
[c9b953e6] | 283 | </seglistitem>
|
---|
| 284 | </segmentedlist>
|
---|
| 285 |
|
---|
| 286 | <variablelist>
|
---|
| 287 | <bridgehead renderas="sect3">Short Descriptions</bridgehead>
|
---|
| 288 | <?dbfo list-presentation="list"?>
|
---|
| 289 | <?dbhtml list-presentation="table"?>
|
---|
| 290 |
|
---|
[2198a32] | 291 | <varlistentry id="make-ca-bin">
|
---|
[120b315] | 292 | <term><command>make-ca</command></term>
|
---|
[c9b953e6] | 293 | <listitem>
|
---|
[47274444] | 294 | <para>
|
---|
| 295 | is a shell script that adapts a current version of
|
---|
| 296 | <filename>certdata.txt</filename>, and prepares it for use
|
---|
| 297 | as the system trust store.
|
---|
| 298 | </para>
|
---|
[2198a32] | 299 | <indexterm zone="make-ca make-ca">
|
---|
[c9b953e6] | 300 | <primary sortas="b-make-ca">make-ca</primary>
|
---|
| 301 | </indexterm>
|
---|
| 302 | </listitem>
|
---|
| 303 | </varlistentry>
|
---|
| 304 | </variablelist>
|
---|
| 305 |
|
---|
| 306 | </sect2>
|
---|
| 307 | </sect1>
|
---|