source: postlfs/security/make-ca.xml@ 7e6b462

10.0 10.1 11.0 11.1 11.2 11.3 12.0 12.1 8.4 9.0 9.1 bdubbs/svn elogind kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts lazarus lxqt plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition trunk upgradedb xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal
Last change on this file since 7e6b462 was c1cd435e, checked in by DJ Lucas <dj@…>, 6 years ago

Update to make-ca-0.9. Fixes #11114.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@20462 af4574ff-66df-0310-9fd7-8a98e5e911e0
  • Property mode set to 100644
File size: 10.3 KB
RevLine 
[c9b953e6]1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
[4a16903]7 <!ENTITY certhost "https://hg.mozilla.org/">
8 <!ENTITY certpath "/lib/ckfw/builtins/certdata.txt">
[2198a32]9 <!ENTITY make-ca-buildsize "6.6 MB (with all runtime deps)">
[c1cd435e]10 <!ENTITY make-ca-time "0.1 SBU (with all runtime deps)">
[4a16903]11
[120b315]12 <!ENTITY make-ca-download "https://github.com/djlucas/make-ca/archive/v&make-ca-version;/make-ca-&make-ca-version;.tar.gz">
[92dea9ae]13 <!ENTITY make-ca-size "36 KB">
[c1cd435e]14 <!ENTITY make-ca-md5sum "0eeaf712eedeae4fa55d8bfa37f4ca32">
[c9b953e6]15]>
16
[697e6ca5]17<sect1 id="make-ca" xreflabel="make-ca-&make-ca-version;">
[2198a32]18 <?dbhtml filename="make-ca.html"?>
[c9b953e6]19
20 <sect1info>
21 <othername>$LastChangedBy$</othername>
22 <date>$Date$</date>
23 </sect1info>
24
[697e6ca5]25 <title>make-ca-&make-ca-version;</title>
[2198a32]26 <indexterm zone="make-ca">
27 <primary sortas="a-make-ca">make-ca</primary>
[c9b953e6]28 </indexterm>
29
30 <sect2 role="package">
[2198a32]31 <title>Introduction to make-ca</title>
[c9b953e6]32
[697e6ca5]33 <para>
34 Public Key Infrastructure (PKI) is a method to validate the authenticity
35 of an otherwise unknown entity across untrusted networks. PKI works by
36 establishing a chain of trust, rather than trusting each individual host
37 or entity explicitly. In order for a certificate presented by a remote
38 entity to be trusted, that certificate must present a complete chain of
39 certificates that can be validated using the root certificate of a
40 Certificate Authority (CA) that is trusted by the local machine.
41 </para>
42
43 <para>
44 Establishing trust with a CA involves validating things like company
45 address, ownership, contact information, etc., and ensuring that the CA
46 has followed best practices, such as undergoing periodic security audits
47 by independent investigators and maintaining an always available
48 certificate revocation list. This is well outside the scope of BLFS (as
49 it is for most Linux distributions). The certificate store provided here
50 is taken from the Mozilla Foundation, who have established very strict
51 inclusion policies described <ulink
52 url="https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/">here</ulink>.
53 </para>
54
[a509a18]55 &lfs83_checked;
[697e6ca5]56
57 <bridgehead renderas="sect3">Package Information</bridgehead>
[c9b953e6]58 <itemizedlist spacing="compact">
59 <listitem>
[30b7db74]60 <para>Download (HTTP): <ulink url="&make-ca-download;"/></para>
[c9b953e6]61 </listitem>
62 <listitem>
[30b7db74]63 <para>Download size: &make-ca-size;</para>
64 </listitem>
65 <listitem>
66 <para>Download MD5 Sum: &make-ca-md5sum;</para>
[c9b953e6]67 </listitem>
68 <listitem>
[2198a32]69 <para>Estimated disk space required: &make-ca-buildsize;</para>
[c9b953e6]70 </listitem>
71 <listitem>
[2198a32]72 <para>Estimated build time: &make-ca-time;</para>
[c9b953e6]73 </listitem>
74 </itemizedlist>
75
[2198a32]76 <bridgehead renderas="sect3">make-ca Dependencies</bridgehead>
[c1cd435e]77
78 <bridgehead renderas="sect4">Recommended</bridgehead>
79 <para role="recommended"><xref linkend="p11-kit"/> (required at runtime to
80 generate certificate stores from trust anchors)</para>
81
[4a16903]82 <bridgehead renderas="sect4">Optional (runtime)</bridgehead>
83 <para role="optional">
[96e9478]84 <xref role="runtime" linkend="java"/> or
[c1cd435e]85 <xref role="runtime" linkend="openjdk"/> (to generate a java PKCS#12
86 store), and <xref role="runtime" linkend="nss"/> (to generate a shared
87 NSSDB)
[96e9478]88 </para>
[c9b953e6]89
90 <para condition="html" role="usernotes">User Notes:
[2198a32]91 <ulink url='&blfs-wiki;/make-ca'/></para>
[c9b953e6]92 </sect2>
93
94 <sect2 role="installation">
[2198a32]95 <title>Installation of make-ca</title>
[c9b953e6]96
[120b315]97 <para>The <application>make-ca</application> script will download and
98 process the certificates included in the <filename>certdata.txt</filename>
[c1cd435e]99 file for use as trust anchors for the <xref linkend="p11-kit"/> trust
100 module. Additionally, it will generate system certificate stores used by
101 BLFS applications (if the recommended and optional applications are present
102 on the system). Any local certificates stored in
103 <filename>/etc/ssl/local</filename> will be imported to both the trust
104 anchors and the generated certificate stores (overriding Mozilla's trust).
105 Certificates in this directory should be stored as PEM encoded
[4a16903]106 <application>OpenSSL</application> trusted certificates.</para>
107
108 <para>To create an <application>OpenSSL</application> trusted certificate
[120b315]109 from a regular PEM encoded file, you need to add trust arguments to the
[4a16903]110 <command>openssl</command> command, and create a new certificate. There are
[c10fe29]111 three trust types that are recognized by the
[120b315]112 <application>make-ca</application> script, SSL/TLS, S/Mime, and code
[c10fe29]113 signing. For example, using the
[120b315]114 <ulink url="http://www.cacert.org/">CAcert</ulink> roots, if you want to
115 trust both for all three roles, the following commands will create
[3da11ac]116 appropriate OpenSSL trusted certificates (run as the <systemitem
117 class="username">root</systemitem> user):</para>
[c10fe29]118
[3da11ac]119<screen role="nodump"><userinput>install -vdm755 /etc/ssl/local &amp;&amp;
[c10fe29]120wget http://www.cacert.org/certs/root.crt &amp;&amp;
[120b315]121wget http://www.cacert.org/certs/class3.crt &amp;&amp;
[c10fe29]122openssl x509 -in root.crt -text -fingerprint -setalias "CAcert Class 1 root" \
123 -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
[120b315]124 > /etc/ssl/local/CAcert_Class_1_root.pem &amp;&amp;
125openssl x509 -in class3.crt -text -fingerprint -setalias "CAcert Class 3 root" \
126 -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
127 > /etc/ssl/local/CAcert_Class_3_root.pem</userinput></screen>
[c10fe29]128
129 <para>If one of the three trust arguments is omitted, the certificate is
130 neither trusted, nor rejected for that role. Clients that use
131 <application>OpenSSL</application> or <application>NSS</application>
132 encountering this certificate will present a warning to the user. Clients
133 using <application>GnuTLS</application> without
134 <application>p11-kit</application> support are not aware of trusted
[4a16903]135 certificates. To include this CA into the ca-bundle.crt (used for
[45db70f]136 <application>GnuTLS</application>), it must have <envar>serverAuth</envar>
[c10fe29]137 trust. Additionally, to explicitly disallow a certificate for a particular
138 use, replace the <parameter>-addtrust</parameter> flag with the
139 <parameter>-addreject</parameter> flag.</para>
[4a16903]140
141 <para>To install the various certificate stores, first install the
[120b315]142 <application>make-ca</application> script into the correct location.
[4a16903]143 As the <systemitem class="username">root</systemitem> user:</para>
144
[120b315]145<screen role="root"><userinput>make install</userinput></screen>
[4a16903]146
[c1cd435e]147 <para>As the <systemitem class="username">root</systemitem> user, after
148 installing <xref linkend="p11-kit"/>, download the certificate source and
149 prepare for system use with the following command:</para>
[4a16903]150
[a90ec5a7]151 <note>
152 <para>If running the script a second time with the same version of
153 <filename>certdata.txt</filename>, for instance, to add additional stores
[c1cd435e]154 as the requisite software is installed, add the <parameter>-r</parameter>
[120b315]155 switch to the command line. If packaging, run <command>make-ca
[a90ec5a7]156 --help</command> to see all available command line options.</para>
157 </note>
158
[729e458]159<screen role="root"><userinput>/usr/sbin/make-ca -g</userinput></screen>
[4a16903]160
[120b315]161 <para>You should periodically update the store with the above command
162 either manually, or via a <phrase revision="sysv">cron job.</phrase>
163 <phrase revision="systemd">systemd timer. A timer is installed at
164 <filename>/etc/systemd/system/update-pki.timer</filename> that, if enabled,
165 will check for updates weekly.</phrase></para>
[4a16903]166
[120b315]167 <para>The default <filename>certdata.txt</filename> file provided by make-ca
168 is obtained from the mozilla-release branch, and is modified to provide a
169 Mercurial revision. This will be the correct version for most
[4a16903]170 systems. There are, however, several other variants of the file available
[e6af89ca]171 for use that might be preferred for one reason or another, including the
172 files shipped with Mozilla products in this book. RedHat and OpenSUSE,
173 for instance, use the version included in <xref linkend="nss"/>. Additional
174 upstream downloads are available at the links below.</para>
[4a16903]175
176 <itemizedlist spacing="compact">
177 <listitem>
178 <para>Mozilla Release (the version provided by BLFS):
179 <ulink url="&certhost;releases/mozilla-release/raw-file/default/security/nss&certpath;"/>
180 </para>
181 </listitem>
182 <listitem>
[da0166b2]183 <para>NSS (this is the latest available version):
[a3e625dd]184 <ulink url="&certhost;projects/nss/raw-file/tip&certpath;"/>
[4a16903]185 </para>
186 </listitem>
187 <listitem>
188 <para>Mozilla Central:
189 <ulink url="&certhost;mozilla-central/raw-file/default/security/nss&certpath;"/>
190 </para>
191 </listitem>
192 <listitem>
193 <para>Mozilla Beta:
194 <ulink url="&certhost;releases/mozilla-beta/raw-file/default/security/nss&certpath;"/>
195 </para>
196 </listitem>
197 <listitem>
198 <para>Mozilla Aurora:
199 <ulink url="&certhost;releases/mozilla-aurora/raw-file/default/security/nss&certpath;"/>
200 </para>
201 </listitem>
202 </itemizedlist>
[8b9034a]203
[c9b953e6]204 </sect2>
205
206 <sect2 role="content">
207 <title>Contents</title>
208
209 <segmentedlist>
210 <segtitle>Installed Programs</segtitle>
211 <segtitle>Installed Libraries</segtitle>
212 <segtitle>Installed Directories</segtitle>
213
214 <seglistitem>
[120b315]215 <seg>make-ca</seg>
[c9b953e6]216 <seg>None</seg>
[4a16903]217 <seg>/etc/ssl/{certs,java,local} and /etc/pki/{nssdb,anchors}</seg>
[c9b953e6]218 </seglistitem>
219 </segmentedlist>
220
221 <variablelist>
222 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
223 <?dbfo list-presentation="list"?>
224 <?dbhtml list-presentation="table"?>
225
[2198a32]226 <varlistentry id="make-ca-bin">
[120b315]227 <term><command>make-ca</command></term>
[c9b953e6]228 <listitem>
[4a16903]229 <para>is a shell script that adapts a current version of
[30b7db74]230 <filename>certdata.txt</filename>, and prepares it for use
[c1cd435e]231 as the system trust store.</para>
[2198a32]232 <indexterm zone="make-ca make-ca">
[c9b953e6]233 <primary sortas="b-make-ca">make-ca</primary>
234 </indexterm>
235 </listitem>
236 </varlistentry>
237 </variablelist>
238
239 </sect2>
240</sect1>
Note: See TracBrowser for help on using the repository browser.