[c9b953e6] | 1 | <?xml version="1.0" encoding="ISO-8859-1"?>
|
---|
| 2 | <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
---|
| 3 | "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
---|
| 4 | <!ENTITY % general-entities SYSTEM "../../general.ent">
|
---|
| 5 | %general-entities;
|
---|
| 6 |
|
---|
[4a16903] | 7 | <!ENTITY certhost "https://hg.mozilla.org/">
|
---|
| 8 | <!ENTITY certpath "/lib/ckfw/builtins/certdata.txt">
|
---|
[2198a32] | 9 | <!ENTITY make-ca-buildsize "6.6 MB (with all runtime deps)">
|
---|
[c1cd435e] | 10 | <!ENTITY make-ca-time "0.1 SBU (with all runtime deps)">
|
---|
[4a16903] | 11 |
|
---|
[120b315] | 12 | <!ENTITY make-ca-download "https://github.com/djlucas/make-ca/archive/v&make-ca-version;/make-ca-&make-ca-version;.tar.gz">
|
---|
[92dea9ae] | 13 | <!ENTITY make-ca-size "36 KB">
|
---|
[c1cd435e] | 14 | <!ENTITY make-ca-md5sum "0eeaf712eedeae4fa55d8bfa37f4ca32">
|
---|
[c9b953e6] | 15 | ]>
|
---|
| 16 |
|
---|
[697e6ca5] | 17 | <sect1 id="make-ca" xreflabel="make-ca-&make-ca-version;">
|
---|
[2198a32] | 18 | <?dbhtml filename="make-ca.html"?>
|
---|
[c9b953e6] | 19 |
|
---|
| 20 | <sect1info>
|
---|
| 21 | <othername>$LastChangedBy$</othername>
|
---|
| 22 | <date>$Date$</date>
|
---|
| 23 | </sect1info>
|
---|
| 24 |
|
---|
[697e6ca5] | 25 | <title>make-ca-&make-ca-version;</title>
|
---|
[2198a32] | 26 | <indexterm zone="make-ca">
|
---|
| 27 | <primary sortas="a-make-ca">make-ca</primary>
|
---|
[c9b953e6] | 28 | </indexterm>
|
---|
| 29 |
|
---|
| 30 | <sect2 role="package">
|
---|
[2198a32] | 31 | <title>Introduction to make-ca</title>
|
---|
[c9b953e6] | 32 |
|
---|
[697e6ca5] | 33 | <para>
|
---|
| 34 | Public Key Infrastructure (PKI) is a method to validate the authenticity
|
---|
| 35 | of an otherwise unknown entity across untrusted networks. PKI works by
|
---|
| 36 | establishing a chain of trust, rather than trusting each individual host
|
---|
| 37 | or entity explicitly. In order for a certificate presented by a remote
|
---|
| 38 | entity to be trusted, that certificate must present a complete chain of
|
---|
| 39 | certificates that can be validated using the root certificate of a
|
---|
| 40 | Certificate Authority (CA) that is trusted by the local machine.
|
---|
| 41 | </para>
|
---|
| 42 |
|
---|
| 43 | <para>
|
---|
| 44 | Establishing trust with a CA involves validating things like company
|
---|
| 45 | address, ownership, contact information, etc., and ensuring that the CA
|
---|
| 46 | has followed best practices, such as undergoing periodic security audits
|
---|
| 47 | by independent investigators and maintaining an always available
|
---|
| 48 | certificate revocation list. This is well outside the scope of BLFS (as
|
---|
| 49 | it is for most Linux distributions). The certificate store provided here
|
---|
| 50 | is taken from the Mozilla Foundation, who have established very strict
|
---|
| 51 | inclusion policies described <ulink
|
---|
| 52 | url="https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/">here</ulink>.
|
---|
| 53 | </para>
|
---|
| 54 |
|
---|
[a509a18] | 55 | &lfs83_checked;
|
---|
[697e6ca5] | 56 |
|
---|
| 57 | <bridgehead renderas="sect3">Package Information</bridgehead>
|
---|
[c9b953e6] | 58 | <itemizedlist spacing="compact">
|
---|
| 59 | <listitem>
|
---|
[30b7db74] | 60 | <para>Download (HTTP): <ulink url="&make-ca-download;"/></para>
|
---|
[c9b953e6] | 61 | </listitem>
|
---|
| 62 | <listitem>
|
---|
[30b7db74] | 63 | <para>Download size: &make-ca-size;</para>
|
---|
| 64 | </listitem>
|
---|
| 65 | <listitem>
|
---|
| 66 | <para>Download MD5 Sum: &make-ca-md5sum;</para>
|
---|
[c9b953e6] | 67 | </listitem>
|
---|
| 68 | <listitem>
|
---|
[2198a32] | 69 | <para>Estimated disk space required: &make-ca-buildsize;</para>
|
---|
[c9b953e6] | 70 | </listitem>
|
---|
| 71 | <listitem>
|
---|
[2198a32] | 72 | <para>Estimated build time: &make-ca-time;</para>
|
---|
[c9b953e6] | 73 | </listitem>
|
---|
| 74 | </itemizedlist>
|
---|
| 75 |
|
---|
[2198a32] | 76 | <bridgehead renderas="sect3">make-ca Dependencies</bridgehead>
|
---|
[c1cd435e] | 77 |
|
---|
| 78 | <bridgehead renderas="sect4">Recommended</bridgehead>
|
---|
| 79 | <para role="recommended"><xref linkend="p11-kit"/> (required at runtime to
|
---|
| 80 | generate certificate stores from trust anchors)</para>
|
---|
| 81 |
|
---|
[4a16903] | 82 | <bridgehead renderas="sect4">Optional (runtime)</bridgehead>
|
---|
| 83 | <para role="optional">
|
---|
[96e9478] | 84 | <xref role="runtime" linkend="java"/> or
|
---|
[c1cd435e] | 85 | <xref role="runtime" linkend="openjdk"/> (to generate a java PKCS#12
|
---|
| 86 | store), and <xref role="runtime" linkend="nss"/> (to generate a shared
|
---|
| 87 | NSSDB)
|
---|
[96e9478] | 88 | </para>
|
---|
[c9b953e6] | 89 |
|
---|
| 90 | <para condition="html" role="usernotes">User Notes:
|
---|
[2198a32] | 91 | <ulink url='&blfs-wiki;/make-ca'/></para>
|
---|
[c9b953e6] | 92 | </sect2>
|
---|
| 93 |
|
---|
| 94 | <sect2 role="installation">
|
---|
[2198a32] | 95 | <title>Installation of make-ca</title>
|
---|
[c9b953e6] | 96 |
|
---|
[120b315] | 97 | <para>The <application>make-ca</application> script will download and
|
---|
| 98 | process the certificates included in the <filename>certdata.txt</filename>
|
---|
[c1cd435e] | 99 | file for use as trust anchors for the <xref linkend="p11-kit"/> trust
|
---|
| 100 | module. Additionally, it will generate system certificate stores used by
|
---|
| 101 | BLFS applications (if the recommended and optional applications are present
|
---|
| 102 | on the system). Any local certificates stored in
|
---|
| 103 | <filename>/etc/ssl/local</filename> will be imported to both the trust
|
---|
| 104 | anchors and the generated certificate stores (overriding Mozilla's trust).
|
---|
| 105 | Certificates in this directory should be stored as PEM encoded
|
---|
[4a16903] | 106 | <application>OpenSSL</application> trusted certificates.</para>
|
---|
| 107 |
|
---|
| 108 | <para>To create an <application>OpenSSL</application> trusted certificate
|
---|
[120b315] | 109 | from a regular PEM encoded file, you need to add trust arguments to the
|
---|
[4a16903] | 110 | <command>openssl</command> command, and create a new certificate. There are
|
---|
[c10fe29] | 111 | three trust types that are recognized by the
|
---|
[120b315] | 112 | <application>make-ca</application> script, SSL/TLS, S/Mime, and code
|
---|
[c10fe29] | 113 | signing. For example, using the
|
---|
[120b315] | 114 | <ulink url="http://www.cacert.org/">CAcert</ulink> roots, if you want to
|
---|
| 115 | trust both for all three roles, the following commands will create
|
---|
[3da11ac] | 116 | appropriate OpenSSL trusted certificates (run as the <systemitem
|
---|
| 117 | class="username">root</systemitem> user):</para>
|
---|
[c10fe29] | 118 |
|
---|
[3da11ac] | 119 | <screen role="nodump"><userinput>install -vdm755 /etc/ssl/local &&
|
---|
[c10fe29] | 120 | wget http://www.cacert.org/certs/root.crt &&
|
---|
[120b315] | 121 | wget http://www.cacert.org/certs/class3.crt &&
|
---|
[c10fe29] | 122 | openssl x509 -in root.crt -text -fingerprint -setalias "CAcert Class 1 root" \
|
---|
| 123 | -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
|
---|
[120b315] | 124 | > /etc/ssl/local/CAcert_Class_1_root.pem &&
|
---|
| 125 | openssl x509 -in class3.crt -text -fingerprint -setalias "CAcert Class 3 root" \
|
---|
| 126 | -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
|
---|
| 127 | > /etc/ssl/local/CAcert_Class_3_root.pem</userinput></screen>
|
---|
[c10fe29] | 128 |
|
---|
| 129 | <para>If one of the three trust arguments is omitted, the certificate is
|
---|
| 130 | neither trusted, nor rejected for that role. Clients that use
|
---|
| 131 | <application>OpenSSL</application> or <application>NSS</application>
|
---|
| 132 | encountering this certificate will present a warning to the user. Clients
|
---|
| 133 | using <application>GnuTLS</application> without
|
---|
| 134 | <application>p11-kit</application> support are not aware of trusted
|
---|
[4a16903] | 135 | certificates. To include this CA into the ca-bundle.crt (used for
|
---|
[45db70f] | 136 | <application>GnuTLS</application>), it must have <envar>serverAuth</envar>
|
---|
[c10fe29] | 137 | trust. Additionally, to explicitly disallow a certificate for a particular
|
---|
| 138 | use, replace the <parameter>-addtrust</parameter> flag with the
|
---|
| 139 | <parameter>-addreject</parameter> flag.</para>
|
---|
[4a16903] | 140 |
|
---|
| 141 | <para>To install the various certificate stores, first install the
|
---|
[120b315] | 142 | <application>make-ca</application> script into the correct location.
|
---|
[4a16903] | 143 | As the <systemitem class="username">root</systemitem> user:</para>
|
---|
| 144 |
|
---|
[120b315] | 145 | <screen role="root"><userinput>make install</userinput></screen>
|
---|
[4a16903] | 146 |
|
---|
[c1cd435e] | 147 | <para>As the <systemitem class="username">root</systemitem> user, after
|
---|
| 148 | installing <xref linkend="p11-kit"/>, download the certificate source and
|
---|
| 149 | prepare for system use with the following command:</para>
|
---|
[4a16903] | 150 |
|
---|
[a90ec5a7] | 151 | <note>
|
---|
| 152 | <para>If running the script a second time with the same version of
|
---|
| 153 | <filename>certdata.txt</filename>, for instance, to add additional stores
|
---|
[c1cd435e] | 154 | as the requisite software is installed, add the <parameter>-r</parameter>
|
---|
[120b315] | 155 | switch to the command line. If packaging, run <command>make-ca
|
---|
[a90ec5a7] | 156 | --help</command> to see all available command line options.</para>
|
---|
| 157 | </note>
|
---|
| 158 |
|
---|
[729e458] | 159 | <screen role="root"><userinput>/usr/sbin/make-ca -g</userinput></screen>
|
---|
[4a16903] | 160 |
|
---|
[120b315] | 161 | <para>You should periodically update the store with the above command
|
---|
| 162 | either manually, or via a <phrase revision="sysv">cron job.</phrase>
|
---|
| 163 | <phrase revision="systemd">systemd timer. A timer is installed at
|
---|
| 164 | <filename>/etc/systemd/system/update-pki.timer</filename> that, if enabled,
|
---|
| 165 | will check for updates weekly.</phrase></para>
|
---|
[4a16903] | 166 |
|
---|
[120b315] | 167 | <para>The default <filename>certdata.txt</filename> file provided by make-ca
|
---|
| 168 | is obtained from the mozilla-release branch, and is modified to provide a
|
---|
| 169 | Mercurial revision. This will be the correct version for most
|
---|
[4a16903] | 170 | systems. There are, however, several other variants of the file available
|
---|
[e6af89ca] | 171 | for use that might be preferred for one reason or another, including the
|
---|
| 172 | files shipped with Mozilla products in this book. RedHat and OpenSUSE,
|
---|
| 173 | for instance, use the version included in <xref linkend="nss"/>. Additional
|
---|
| 174 | upstream downloads are available at the links below.</para>
|
---|
[4a16903] | 175 |
|
---|
| 176 | <itemizedlist spacing="compact">
|
---|
| 177 | <listitem>
|
---|
| 178 | <para>Mozilla Release (the version provided by BLFS):
|
---|
| 179 | <ulink url="&certhost;releases/mozilla-release/raw-file/default/security/nss&certpath;"/>
|
---|
| 180 | </para>
|
---|
| 181 | </listitem>
|
---|
| 182 | <listitem>
|
---|
[da0166b2] | 183 | <para>NSS (this is the latest available version):
|
---|
[a3e625dd] | 184 | <ulink url="&certhost;projects/nss/raw-file/tip&certpath;"/>
|
---|
[4a16903] | 185 | </para>
|
---|
| 186 | </listitem>
|
---|
| 187 | <listitem>
|
---|
| 188 | <para>Mozilla Central:
|
---|
| 189 | <ulink url="&certhost;mozilla-central/raw-file/default/security/nss&certpath;"/>
|
---|
| 190 | </para>
|
---|
| 191 | </listitem>
|
---|
| 192 | <listitem>
|
---|
| 193 | <para>Mozilla Beta:
|
---|
| 194 | <ulink url="&certhost;releases/mozilla-beta/raw-file/default/security/nss&certpath;"/>
|
---|
| 195 | </para>
|
---|
| 196 | </listitem>
|
---|
| 197 | <listitem>
|
---|
| 198 | <para>Mozilla Aurora:
|
---|
| 199 | <ulink url="&certhost;releases/mozilla-aurora/raw-file/default/security/nss&certpath;"/>
|
---|
| 200 | </para>
|
---|
| 201 | </listitem>
|
---|
| 202 | </itemizedlist>
|
---|
[8b9034a] | 203 |
|
---|
[c9b953e6] | 204 | </sect2>
|
---|
| 205 |
|
---|
| 206 | <sect2 role="content">
|
---|
| 207 | <title>Contents</title>
|
---|
| 208 |
|
---|
| 209 | <segmentedlist>
|
---|
| 210 | <segtitle>Installed Programs</segtitle>
|
---|
| 211 | <segtitle>Installed Libraries</segtitle>
|
---|
| 212 | <segtitle>Installed Directories</segtitle>
|
---|
| 213 |
|
---|
| 214 | <seglistitem>
|
---|
[120b315] | 215 | <seg>make-ca</seg>
|
---|
[c9b953e6] | 216 | <seg>None</seg>
|
---|
[4a16903] | 217 | <seg>/etc/ssl/{certs,java,local} and /etc/pki/{nssdb,anchors}</seg>
|
---|
[c9b953e6] | 218 | </seglistitem>
|
---|
| 219 | </segmentedlist>
|
---|
| 220 |
|
---|
| 221 | <variablelist>
|
---|
| 222 | <bridgehead renderas="sect3">Short Descriptions</bridgehead>
|
---|
| 223 | <?dbfo list-presentation="list"?>
|
---|
| 224 | <?dbhtml list-presentation="table"?>
|
---|
| 225 |
|
---|
[2198a32] | 226 | <varlistentry id="make-ca-bin">
|
---|
[120b315] | 227 | <term><command>make-ca</command></term>
|
---|
[c9b953e6] | 228 | <listitem>
|
---|
[4a16903] | 229 | <para>is a shell script that adapts a current version of
|
---|
[30b7db74] | 230 | <filename>certdata.txt</filename>, and prepares it for use
|
---|
[c1cd435e] | 231 | as the system trust store.</para>
|
---|
[2198a32] | 232 | <indexterm zone="make-ca make-ca">
|
---|
[c9b953e6] | 233 | <primary sortas="b-make-ca">make-ca</primary>
|
---|
| 234 | </indexterm>
|
---|
| 235 | </listitem>
|
---|
| 236 | </varlistentry>
|
---|
| 237 | </variablelist>
|
---|
| 238 |
|
---|
| 239 | </sect2>
|
---|
| 240 | </sect1>
|
---|