1 | <?xml version="1.0" encoding="ISO-8859-1"?>
|
---|
2 | <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
---|
3 | "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
---|
4 | <!ENTITY % general-entities SYSTEM "../../general.ent">
|
---|
5 | %general-entities;
|
---|
6 |
|
---|
7 | <!ENTITY certhost "https://hg.mozilla.org/">
|
---|
8 | <!ENTITY certpath "/lib/ckfw/builtins/certdata.txt">
|
---|
9 | <!ENTITY make-ca-buildsize "6.9 MB (with all runtime deps)">
|
---|
10 | <!ENTITY make-ca-time "0.1 SBU (with all runtime deps)">
|
---|
11 |
|
---|
12 | <!ENTITY make-ca-download "https://github.com/lfs-book/make-ca/releases/download/v&make-ca-version;/make-ca-&make-ca-version;.tar.xz">
|
---|
13 | <!ENTITY make-ca-size "32 KB">
|
---|
14 | <!ENTITY make-ca-md5sum "04bd86fe2eb299788439c3466782ce45">
|
---|
15 | ]>
|
---|
16 |
|
---|
17 | <sect1 id="make-ca" xreflabel="make-ca-&make-ca-version;">
|
---|
18 | <?dbhtml filename="make-ca.html"?>
|
---|
19 |
|
---|
20 |
|
---|
21 | <title>make-ca-&make-ca-version;</title>
|
---|
22 | <indexterm zone="make-ca">
|
---|
23 | <primary sortas="a-make-ca">make-ca</primary>
|
---|
24 | </indexterm>
|
---|
25 |
|
---|
26 | <sect2 role="package">
|
---|
27 | <title>Introduction to make-ca</title>
|
---|
28 |
|
---|
29 | <para>
|
---|
30 | Public Key Infrastructure (PKI) is a method to validate the authenticity
|
---|
31 | of an otherwise unknown entity across untrusted networks. PKI works by
|
---|
32 | establishing a chain of trust, rather than trusting each individual host
|
---|
33 | or entity explicitly. In order for a certificate presented by a remote
|
---|
34 | entity to be trusted, that certificate must present a complete chain of
|
---|
35 | certificates that can be validated using the root certificate of a
|
---|
36 | Certificate Authority (CA) that is trusted by the local machine.
|
---|
37 | </para>
|
---|
38 |
|
---|
39 | <para>
|
---|
40 | Establishing trust with a CA involves validating things like company
|
---|
41 | address, ownership, contact information, etc., and ensuring that the CA
|
---|
42 | has followed best practices, such as undergoing periodic security audits
|
---|
43 | by independent investigators and maintaining an always available
|
---|
44 | certificate revocation list. This is well outside the scope of BLFS (as
|
---|
45 | it is for most Linux distributions). The certificate store provided here
|
---|
46 | is taken from the Mozilla Foundation, who have established very strict
|
---|
47 | inclusion policies described <ulink
|
---|
48 | url="https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/">here</ulink>.
|
---|
49 | </para>
|
---|
50 |
|
---|
51 | &lfs120_checked;
|
---|
52 |
|
---|
53 | <bridgehead renderas="sect3">Package Information</bridgehead>
|
---|
54 | <itemizedlist spacing="compact">
|
---|
55 | <listitem>
|
---|
56 | <para>
|
---|
57 | Download (HTTP): <ulink url="&make-ca-download;"/>
|
---|
58 | </para>
|
---|
59 | </listitem>
|
---|
60 | <listitem>
|
---|
61 | <para>
|
---|
62 | Download size: &make-ca-size;
|
---|
63 | </para>
|
---|
64 | </listitem>
|
---|
65 | <listitem>
|
---|
66 | <para>
|
---|
67 | Download MD5 Sum: &make-ca-md5sum;
|
---|
68 | </para>
|
---|
69 | </listitem>
|
---|
70 | <listitem>
|
---|
71 | <para>
|
---|
72 | Estimated disk space required: &make-ca-buildsize;
|
---|
73 | </para>
|
---|
74 | </listitem>
|
---|
75 | <listitem>
|
---|
76 | <para>
|
---|
77 | Estimated build time: &make-ca-time;
|
---|
78 | </para>
|
---|
79 | </listitem>
|
---|
80 | </itemizedlist>
|
---|
81 |
|
---|
82 | <note>
|
---|
83 | <para>
|
---|
84 | This package ships a CA certificate for validating the identity of
|
---|
85 | <ulink url='&certhost;'/>. If the trust chain of this website
|
---|
86 | has been changed after the release of make-ca-&make-ca-version;,
|
---|
87 | it may fail to get the revision of <filename>certdata.txt</filename>
|
---|
88 | from server. Use an updated make-ca release at
|
---|
89 | <ulink url='https://github.com/lfs-book/make-ca/releases'>the
|
---|
90 | release page</ulink> if this issue happens.
|
---|
91 | </para>
|
---|
92 | </note>
|
---|
93 |
|
---|
94 | <bridgehead renderas="sect3">make-ca Dependencies</bridgehead>
|
---|
95 |
|
---|
96 | <bridgehead renderas="sect4">Required</bridgehead>
|
---|
97 | <para role="required">
|
---|
98 | <!-- Attention: no role="runtime" here because jhalfs don't assume
|
---|
99 | runtime dependencies are needed to run commands. -->
|
---|
100 | <xref linkend="p11-kit"/> (runtime, built after
|
---|
101 | <xref role="nodep" linkend="libtasn1"/>, required in the following
|
---|
102 | instructions to generate certificate stores from trust anchors, and
|
---|
103 | each time <command>make-ca</command> is run)
|
---|
104 | </para>
|
---|
105 | <!-- /usr/bin/trust is needed to extract the certs to /etc/ssl/certs -->
|
---|
106 |
|
---|
107 | <bridgehead renderas="sect4">Optional (runtime)</bridgehead>
|
---|
108 | <para role="optional">
|
---|
109 | <xref role="runtime" linkend="nss"/> (to generate a shared NSSDB)
|
---|
110 | </para>
|
---|
111 |
|
---|
112 | </sect2>
|
---|
113 |
|
---|
114 | <sect2 role="installation">
|
---|
115 | <title>Installation of make-ca and Generation of the CA-certificates stores</title>
|
---|
116 |
|
---|
117 | <para>
|
---|
118 | The <application>make-ca</application> script will download and process
|
---|
119 | the certificates included in the <filename>certdata.txt</filename> file
|
---|
120 | for use as trust anchors for the <xref linkend="p11-kit"/> trust module.
|
---|
121 | Additionally, it will generate system certificate stores used by BLFS
|
---|
122 | applications (if the recommended and optional applications are present
|
---|
123 | on the system). Any local certificates stored in
|
---|
124 | <filename>/etc/ssl/local</filename> will be imported to both the trust
|
---|
125 | anchors and the generated certificate stores (overriding Mozilla's
|
---|
126 | trust). Additionally, any modified trust values will be copied from the
|
---|
127 | trust anchors to <filename>/etc/ssl/local</filename> prior to any
|
---|
128 | updates, preserving custom trust values that differ from Mozilla when
|
---|
129 | using the <command>trust</command> utility from
|
---|
130 | <application>p11-kit</application> to operate on the trust store.
|
---|
131 | </para>
|
---|
132 |
|
---|
133 | <para>
|
---|
134 | To install the various certificate stores, first install the
|
---|
135 | <application>make-ca</application> script into the correct location.
|
---|
136 | As the <systemitem class="username">root</systemitem> user:
|
---|
137 | </para>
|
---|
138 |
|
---|
139 | <screen role="root"><userinput>make install &&
|
---|
140 | install -vdm755 /etc/ssl/local</userinput></screen>
|
---|
141 |
|
---|
142 | <note>
|
---|
143 | <para>
|
---|
144 | Technically, this package is already installed at this point.
|
---|
145 | But most packages listing <application>make-ca</application> as
|
---|
146 | a dependency actually requires the system certificate store set up
|
---|
147 | by this package, instead of requiring the <command>make-ca</command>
|
---|
148 | program itself. So the instructions for using
|
---|
149 | <command>make-ca</command> for setting up the system certificate
|
---|
150 | store is included in this section. You should make sure the required
|
---|
151 | runtime dependency for <application>make-ca</application> is
|
---|
152 | satisfied now, and continue to follow the instructions.
|
---|
153 | </para>
|
---|
154 | </note>
|
---|
155 |
|
---|
156 | <para>
|
---|
157 | As the <systemitem class="username">root</systemitem> user,
|
---|
158 | download the certificate source and
|
---|
159 | prepare for system use with the following command:
|
---|
160 | </para>
|
---|
161 |
|
---|
162 | <note>
|
---|
163 | <para>
|
---|
164 | If running the script a second time with the same version of
|
---|
165 | <filename>certdata.txt</filename>, for instance, to update the
|
---|
166 | stores when <application>make-ca</application> is upgraded, or to
|
---|
167 | add additional stores as the requisite software is installed,
|
---|
168 | replace the <parameter>-g</parameter> switch with the
|
---|
169 | <parameter>-r</parameter> switch in the command line. If packaging,
|
---|
170 | run <command>make-ca --help</command> to see all available command
|
---|
171 | line options.
|
---|
172 | </para>
|
---|
173 | </note>
|
---|
174 |
|
---|
175 | <screen role="root"><userinput>/usr/sbin/make-ca -g</userinput></screen>
|
---|
176 |
|
---|
177 | <para>
|
---|
178 | You should periodically update the store with the above command,
|
---|
179 | either manually, or via a <phrase revision="sysv">cron job.</phrase>
|
---|
180 | <phrase revision="systemd">systemd timer. A timer is installed at
|
---|
181 | <filename>/usr/lib/systemd/system/update-pki.timer</filename> that, if
|
---|
182 | enabled, will check for updates weekly.</phrase><phrase
|
---|
183 | revision="sysv">If you've installed <xref linkend="fcron"/> and
|
---|
184 | completed the section on periodic jobs, execute</phrase> <phrase
|
---|
185 | revision="systemd">Execute</phrase> the following commands, as the
|
---|
186 | <systemitem class="username">root</systemitem> user, to <phrase
|
---|
187 | revision="sysv">create a weekly cron job:</phrase><phrase
|
---|
188 | revision="systemd">enable the systemd timer:</phrase>
|
---|
189 | </para>
|
---|
190 |
|
---|
191 | <screen role="nodump" revision="sysv"><userinput>cat > /etc/cron.weekly/update-pki.sh << "EOF" &&
|
---|
192 | <literal>#!/bin/bash
|
---|
193 | /usr/sbin/make-ca -g</literal>
|
---|
194 | EOF
|
---|
195 | chmod 754 /etc/cron.weekly/update-pki.sh</userinput></screen>
|
---|
196 |
|
---|
197 | <screen role="root" revision="systemd"><userinput>systemctl enable update-pki.timer</userinput></screen>
|
---|
198 |
|
---|
199 | </sect2>
|
---|
200 |
|
---|
201 | <sect2 role="configuration" id="make-ca-config">
|
---|
202 | <title>Configuring make-ca</title>
|
---|
203 |
|
---|
204 | <para>
|
---|
205 | For most users, no additional configuration is necessary, however,
|
---|
206 | the default <filename>certdata.txt</filename> file provided by make-ca
|
---|
207 | is obtained from the mozilla-release branch, and is modified to provide a
|
---|
208 | Mercurial revision. This will be the correct version for most systems.
|
---|
209 | There are several other variants of the file available for use that might
|
---|
210 | be preferred for one reason or another, including the files shipped with
|
---|
211 | Mozilla products in this book. RedHat and OpenSUSE, for instance, use the
|
---|
212 | version included in <xref linkend="nss"/>. Additional upstream downloads
|
---|
213 | are available at the links included in
|
---|
214 | <filename>/etc/make-ca/make-ca.conf.dist</filename>. Simply copy the
|
---|
215 | file to
|
---|
216 | <filename>/etc/make-ca.conf</filename> and edit as appropriate.
|
---|
217 | </para>
|
---|
218 |
|
---|
219 | <indexterm zone="make-ca make-ca-config">
|
---|
220 | <primary sortas="e-etc-make-ca-conf">/etc/make-ca.conf</primary>
|
---|
221 | </indexterm>
|
---|
222 |
|
---|
223 | <bridgehead renderas="sect3">About Trust Arguments</bridgehead>
|
---|
224 |
|
---|
225 | <para>
|
---|
226 | There are three trust types that are recognized by the
|
---|
227 | <application>make-ca</application> script, SSL/TLS, S/Mime, and code
|
---|
228 | signing. For <application>OpenSSL</application>, these are
|
---|
229 | <parameter>serverAuth</parameter>,
|
---|
230 | <parameter>emailProtection</parameter>, and
|
---|
231 | <parameter>codeSigning</parameter> respectively. If one of the three
|
---|
232 | trust arguments is omitted, the certificate is neither trusted, nor
|
---|
233 | rejected for that role. Clients that use
|
---|
234 | <application>OpenSSL</application> or <application>NSS</application>
|
---|
235 | encountering this certificate will present a warning to the user.
|
---|
236 | Clients using
|
---|
237 | <application>GnuTLS</application> without
|
---|
238 | <application>p11-kit</application> support are not aware of trusted
|
---|
239 | certificates. To include this CA into the
|
---|
240 | <filename>ca-bundle.crt</filename>,
|
---|
241 | <filename>email-ca-bundle.crt</filename>, or
|
---|
242 | <filename>objsign-ca-bundle.crt</filename> files
|
---|
243 | (the <application>GnuTLS</application> legacy bundles), it must have the
|
---|
244 | appropriate trust arguments.
|
---|
245 | </para>
|
---|
246 |
|
---|
247 | <bridgehead renderas="sect3">Adding Additional CA Certificates</bridgehead>
|
---|
248 |
|
---|
249 | <para>
|
---|
250 | The <filename class="directory">/etc/ssl/local</filename> directory
|
---|
251 | is available to add additional CA certificates to the system trust store.
|
---|
252 | This directory is also used to store certificates that were added to or
|
---|
253 | modified in the system trust store by <xref linkend="p11-kit"/> so that
|
---|
254 | trust values are maintained across upgrades. Files in this directory must
|
---|
255 | be in the <application>OpenSSL</application> trusted certificate format.
|
---|
256 | Certificates imported using the <command>trust</command> utility from
|
---|
257 | <xref linkend="p11-kit"/> will utilize the x509 Extended Key Usage values
|
---|
258 | to assign default trust values for the system anchors.
|
---|
259 | </para>
|
---|
260 |
|
---|
261 | <para>If you need to override trust values, or otherwise need to create
|
---|
262 | an <application>OpenSSL</application> trusted certificate manually
|
---|
263 | from a regular PEM encoded file, you need to add trust arguments to the
|
---|
264 | <command>openssl</command> command, and create a new certificate. For
|
---|
265 | example, using the <ulink url="http://www.cacert.org/">CAcert</ulink>
|
---|
266 | roots, if you want to trust both for all three roles, the following
|
---|
267 | commands will create appropriate OpenSSL trusted certificates (run as
|
---|
268 | the <systemitem class="username">root</systemitem> user after <xref
|
---|
269 | linkend="wget"/> is installed):
|
---|
270 | </para>
|
---|
271 |
|
---|
272 | <screen role="nodump"><userinput>wget http://www.cacert.org/certs/root.crt &&
|
---|
273 | wget http://www.cacert.org/certs/class3.crt &&
|
---|
274 | openssl x509 -in root.crt -text -fingerprint -setalias "CAcert Class 1 root" \
|
---|
275 | -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
|
---|
276 | > /etc/ssl/local/CAcert_Class_1_root.pem &&
|
---|
277 | openssl x509 -in class3.crt -text -fingerprint -setalias "CAcert Class 3 root" \
|
---|
278 | -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
|
---|
279 | > /etc/ssl/local/CAcert_Class_3_root.pem &&
|
---|
280 | /usr/sbin/make-ca -r</userinput></screen>
|
---|
281 |
|
---|
282 | <bridgehead renderas="sect3">Overriding Mozilla Trust</bridgehead>
|
---|
283 |
|
---|
284 | <para>
|
---|
285 | Occasionally, there may be instances where you don't agree with
|
---|
286 | Mozilla's inclusion of a particular certificate authority. If you'd like
|
---|
287 | to override the default trust of a particular CA, simply create a copy of
|
---|
288 | the existing certificate in <filename
|
---|
289 | class="directory">/etc/ssl/local</filename> with different trust
|
---|
290 | arguments. For example, if you'd like to distrust the
|
---|
291 | "Makebelieve_CA_Root" file, run the following commands:
|
---|
292 | </para>
|
---|
293 |
|
---|
294 | <screen role="nodump"><userinput>openssl x509 -in /etc/ssl/certs/Makebelieve_CA_Root.pem \
|
---|
295 | -text \
|
---|
296 | -fingerprint \
|
---|
297 | -setalias "Disabled Makebelieve CA Root" \
|
---|
298 | -addreject serverAuth \
|
---|
299 | -addreject emailProtection \
|
---|
300 | -addreject codeSigning \
|
---|
301 | > /etc/ssl/local/Disabled_Makebelieve_CA_Root.pem &&
|
---|
302 | /usr/sbin/make-ca -r</userinput></screen>
|
---|
303 |
|
---|
304 | </sect2>
|
---|
305 |
|
---|
306 | <sect2 role="configuration" id="make-ca-python">
|
---|
307 | <title>Using make-ca with Python3</title>
|
---|
308 |
|
---|
309 | <para>
|
---|
310 | When <application>Python3</application> was installed in LFS it included
|
---|
311 | the <application>pip3</application> module with vendored certificates
|
---|
312 | from the <application>Certifi</application> module. That was necessary,
|
---|
313 | but it means that whenever <command>pip3</command> is used it can reference
|
---|
314 | those certificates, primarily when creating a virtual environment or when
|
---|
315 | installing a module with all its wheel dependencies in one go.
|
---|
316 | </para>
|
---|
317 |
|
---|
318 | <para>
|
---|
319 | It is generally considered that the System Administrator should be in
|
---|
320 | charge of which certificates are available. Now that <xref
|
---|
321 | linkend="make-ca"/> and <xref linkend="p11-kit"/> have been installed and
|
---|
322 | <application>make-ca</application> has been configured, it is possible to
|
---|
323 | make <command>pip3</command> use the system certificates.
|
---|
324 | </para>
|
---|
325 |
|
---|
326 | <para>
|
---|
327 | The vendored certificates installed in LFS are a snapshot from when the
|
---|
328 | pulled-in version of <application>Certifi</application> was created. If
|
---|
329 | you regularly update the system certificates, the vendored version will
|
---|
330 | become out of date.
|
---|
331 | </para>
|
---|
332 |
|
---|
333 | <para>
|
---|
334 | To use the system certificates in <application>Python3</application> you
|
---|
335 | should set <envar>_PIP_STANDALONE_CERT</envar> to point to them, e.g for
|
---|
336 | the <application>bash</application> shell:
|
---|
337 | </para>
|
---|
338 |
|
---|
339 | <screen><userinput>export _PIP_STANDALONE_CERT=/etc/pki/tls/certs/ca-bundle.crt</userinput></screen>
|
---|
340 |
|
---|
341 | <warning>
|
---|
342 | <para>
|
---|
343 | If you have created virtual environments, for example when testing modules,
|
---|
344 | and those include the <application>Requests</application> and
|
---|
345 | <application>Certifi</application> modules in <filename
|
---|
346 | class="directory">~/.local/lib/python3.11/</filename> then those local
|
---|
347 | modules will be used instead of the system certificates unless you
|
---|
348 | remove the local modules.
|
---|
349 | </para>
|
---|
350 | </warning>
|
---|
351 |
|
---|
352 | <para>
|
---|
353 | To use the system certificates in <application>Python3</application> with
|
---|
354 | the BLFS profiles add the following variable to your system or personal
|
---|
355 | profiles:
|
---|
356 | </para>
|
---|
357 |
|
---|
358 | <screen role="root"><userinput>mkdir -pv /etc/profile.d &&
|
---|
359 | cat > /etc/profile.d/pythoncerts.sh << "EOF"
|
---|
360 | <literal># Begin /etc/profile.d/pythoncerts.sh
|
---|
361 |
|
---|
362 | export _PIP_STANDALONE_CERT=/etc/pki/tls/certs/ca-bundle.crt
|
---|
363 |
|
---|
364 | # End /etc/profile.d/pythoncerts.sh</literal>
|
---|
365 | EOF</userinput></screen>
|
---|
366 |
|
---|
367 | </sect2>
|
---|
368 |
|
---|
369 | <sect2 role="content">
|
---|
370 | <title>Contents</title>
|
---|
371 |
|
---|
372 | <segmentedlist>
|
---|
373 | <segtitle>Installed Programs</segtitle>
|
---|
374 | <segtitle>Installed Directories</segtitle>
|
---|
375 |
|
---|
376 | <seglistitem>
|
---|
377 | <seg>make-ca</seg>
|
---|
378 | <seg>/etc/ssl/{certs,local} and
|
---|
379 | /etc/pki/{nssdb,anchors,tls/{certs,java}}</seg>
|
---|
380 | </seglistitem>
|
---|
381 | </segmentedlist>
|
---|
382 |
|
---|
383 | <variablelist>
|
---|
384 | <bridgehead renderas="sect3">Short Descriptions</bridgehead>
|
---|
385 | <?dbfo list-presentation="list"?>
|
---|
386 | <?dbhtml list-presentation="table"?>
|
---|
387 |
|
---|
388 | <varlistentry id="make-ca-bin">
|
---|
389 | <term><command>make-ca</command></term>
|
---|
390 | <listitem>
|
---|
391 | <para>
|
---|
392 | is a shell script that adapts a current version of
|
---|
393 | <filename>certdata.txt</filename>, and prepares it for use
|
---|
394 | as the system trust store
|
---|
395 | </para>
|
---|
396 | <indexterm zone="make-ca make-ca">
|
---|
397 | <primary sortas="b-make-ca">make-ca</primary>
|
---|
398 | </indexterm>
|
---|
399 | </listitem>
|
---|
400 | </varlistentry>
|
---|
401 | </variablelist>
|
---|
402 |
|
---|
403 | </sect2>
|
---|
404 |
|
---|
405 | </sect1>
|
---|