Context Navigation

source: postlfs/security/make-ca.xml@ ac5932a

Visit:

12.1 ken/TL2024 ken/tuningfonts lazarus plabs/newcss python3.11 rahul/power-profiles-daemon renodr/vulkan-addition trunk xry111/llvm18

Last change on this file since ac5932a was ac5932a, checked in by Pierre Labastie <pierre.labastie@…>, 8 months ago
Update to make-ca-1.13
Property mode set to `100644`
File size: 16.5 KB

Line
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!ENTITY certhost "https://hg.mozilla.org/">
8	<!ENTITY certpath "/lib/ckfw/builtins/certdata.txt">
9	<!ENTITY make-ca-buildsize "6.9 MB (with all runtime deps)">
10	<!ENTITY make-ca-time "0.1 SBU (with all runtime deps)">
11
12	<!ENTITY make-ca-download "https://github.com/lfs-book/make-ca/releases/download/v&make-ca-version;/make-ca-&make-ca-version;.tar.xz">
13	<!ENTITY make-ca-size "32 KB">
14	<!ENTITY make-ca-md5sum "04bd86fe2eb299788439c3466782ce45">
15	]>
16
17	<sect1 id="make-ca" xreflabel="make-ca-&make-ca-version;">
18	<?dbhtml filename="make-ca.html"?>
19
20
21	<title>make-ca-&make-ca-version;</title>
22	<indexterm zone="make-ca">
23	<primary sortas="a-make-ca">make-ca</primary>
24	</indexterm>
25
26	<sect2 role="package">
27	<title>Introduction to make-ca</title>
28
29	<para>
30	Public Key Infrastructure (PKI) is a method to validate the authenticity
31	of an otherwise unknown entity across untrusted networks. PKI works by
32	establishing a chain of trust, rather than trusting each individual host
33	or entity explicitly. In order for a certificate presented by a remote
34	entity to be trusted, that certificate must present a complete chain of
35	certificates that can be validated using the root certificate of a
36	Certificate Authority (CA) that is trusted by the local machine.
37	</para>
38
39	<para>
40	Establishing trust with a CA involves validating things like company
41	address, ownership, contact information, etc., and ensuring that the CA
42	has followed best practices, such as undergoing periodic security audits
43	by independent investigators and maintaining an always available
44	certificate revocation list. This is well outside the scope of BLFS (as
45	it is for most Linux distributions). The certificate store provided here
46	is taken from the Mozilla Foundation, who have established very strict
47	inclusion policies described <ulink
48	url="https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/">here</ulink>.
49	</para>
50
51	&lfs120_checked;
52
53	<bridgehead renderas="sect3">Package Information</bridgehead>
54	<itemizedlist spacing="compact">
55	<listitem>
56	<para>
57	Download (HTTP): <ulink url="&make-ca-download;"/>
58	</para>
59	</listitem>
60	<listitem>
61	<para>
62	Download size: &make-ca-size;
63	</para>
64	</listitem>
65	<listitem>
66	<para>
67	Download MD5 Sum: &make-ca-md5sum;
68	</para>
69	</listitem>
70	<listitem>
71	<para>
72	Estimated disk space required: &make-ca-buildsize;
73	</para>
74	</listitem>
75	<listitem>
76	<para>
77	Estimated build time: &make-ca-time;
78	</para>
79	</listitem>
80	</itemizedlist>
81
82	<bridgehead renderas="sect3">make-ca Dependencies</bridgehead>
83
84	<bridgehead renderas="sect4">Required</bridgehead>
85	<para role="required">
86	<!-- Attention: no role="runtime" here because jhalfs don't assume
87	runtime dependencies are needed to run commands. -->
88	<xref linkend="p11-kit"/> (runtime, built after
89	<xref role="nodep" linkend="libtasn1"/>, required in the following
90	instructions to generate certificate stores from trust anchors, and
91	each time <command>make-ca</command> is run)
92	</para>
93	<!-- /usr/bin/trust is needed to extract the certs to /etc/ssl/certs -->
94
95	<bridgehead renderas="sect4">Optional (runtime)</bridgehead>
96	<para role="optional">
97	<xref role="runtime" linkend="nss"/> (to generate a shared NSSDB)
98	</para>
99
100	</sect2>
101
102	<sect2 role="installation">
103	<title>Installation of make-ca and Generation of the CA-certificates stores</title>
104
105	<para>
106	The <application>make-ca</application> script will download and process
107	the certificates included in the <filename>certdata.txt</filename> file
108	for use as trust anchors for the <xref linkend="p11-kit"/> trust module.
109	Additionally, it will generate system certificate stores used by BLFS
110	applications (if the recommended and optional applications are present
111	on the system). Any local certificates stored in
112	<filename>/etc/ssl/local</filename> will be imported to both the trust
113	anchors and the generated certificate stores (overriding Mozilla's
114	trust). Additionally, any modified trust values will be copied from the
115	trust anchors to <filename>/etc/ssl/local</filename> prior to any
116	updates, preserving custom trust values that differ from Mozilla when
117	using the <command>trust</command> utility from
118	<application>p11-kit</application> to operate on the trust store.
119	</para>
120
121	<para>
122	To install the various certificate stores, first install the
123	<application>make-ca</application> script into the correct location.
124	As the <systemitem class="username">root</systemitem> user:
125	</para>
126
127	<screen role="root"><userinput>make install &&
128	install -vdm755 /etc/ssl/local</userinput></screen>
129
130	<note>
131	<para>
132	Technically, this package is already installed at this point.
133	But most packages listing <application>make-ca</application> as
134	a dependency actually requires the system certificate store set up
135	by this package, instead of requiring the <command>make-ca</command>
136	program itself. So the instructions for using
137	<command>make-ca</command> for setting up the system certificate
138	store is included in this section. You should make sure the required
139	runtime dependency for <application>make-ca</application> is
140	satisfied now, and continue to follow the instructions.
141	</para>
142	</note>
143
144	<para>
145	As the <systemitem class="username">root</systemitem> user,
146	download the certificate source and
147	prepare for system use with the following command:
148	</para>
149
150	<note>
151	<para>
152	If running the script a second time with the same version of
153	<filename>certdata.txt</filename>, for instance, to update the
154	stores when <application>make-ca</application> is upgraded, or to
155	add additional stores as the requisite software is installed,
156	replace the <parameter>-g</parameter> switch with the
157	<parameter>-r</parameter> switch in the command line. If packaging,
158	run <command>make-ca --help</command> to see all available command
159	line options.
160	</para>
161	</note>
162
163	<screen role="root"><userinput>/usr/sbin/make-ca -g</userinput></screen>
164
165	<para>
166	You should periodically update the store with the above command,
167	either manually, or via a <phrase revision="sysv">cron job.</phrase>
168	<phrase revision="systemd">systemd timer. A timer is installed at
169	<filename>/usr/lib/systemd/system/update-pki.timer</filename> that, if
170	enabled, will check for updates weekly.</phrase><phrase
171	revision="sysv">If you've installed <xref linkend="fcron"/> and
172	completed the section on periodic jobs, execute</phrase> <phrase
173	revision="systemd">Execute</phrase> the following commands, as the
174	<systemitem class="username">root</systemitem> user, to <phrase
175	revision="sysv">create a weekly cron job:</phrase><phrase
176	revision="systemd">enable the systemd timer:</phrase>
177	</para>
178
179	<screen role="nodump" revision="sysv"><userinput>cat > /etc/cron.weekly/update-pki.sh << "EOF" &&
180	<literal>#!/bin/bash
181	/usr/sbin/make-ca -g</literal>
182	EOF
183	chmod 754 /etc/cron.weekly/update-pki.sh</userinput></screen>
184
185	<screen role="root" revision="systemd"><userinput>systemctl enable update-pki.timer</userinput></screen>
186
187	</sect2>
188
189	<sect2 role="configuration" id="make-ca-config">
190	<title>Configuring make-ca</title>
191
192	<para>
193	For most users, no additional configuration is necessary, however,
194	the default <filename>certdata.txt</filename> file provided by make-ca
195	is obtained from the mozilla-release branch, and is modified to provide a
196	Mercurial revision. This will be the correct version for most systems.
197	There are several other variants of the file available for use that might
198	be preferred for one reason or another, including the files shipped with
199	Mozilla products in this book. RedHat and OpenSUSE, for instance, use the
200	version included in <xref linkend="nss"/>. Additional upstream downloads
201	are available at the links included in
202	<filename>/etc/make-ca/make-ca.conf.dist</filename>. Simply copy the
203	file to
204	<filename>/etc/make-ca.conf</filename> and edit as appropriate.
205	</para>
206
207	<indexterm zone="make-ca make-ca-config">
208	<primary sortas="e-etc-make-ca-conf">/etc/make-ca.conf</primary>
209	</indexterm>
210
211	<bridgehead renderas="sect3">About Trust Arguments</bridgehead>
212
213	<para>
214	There are three trust types that are recognized by the
215	<application>make-ca</application> script, SSL/TLS, S/Mime, and code
216	signing. For <application>OpenSSL</application>, these are
217	<parameter>serverAuth</parameter>,
218	<parameter>emailProtection</parameter>, and
219	<parameter>codeSigning</parameter> respectively. If one of the three
220	trust arguments is omitted, the certificate is neither trusted, nor
221	rejected for that role. Clients that use
222	<application>OpenSSL</application> or <application>NSS</application>
223	encountering this certificate will present a warning to the user.
224	Clients using
225	<application>GnuTLS</application> without
226	<application>p11-kit</application> support are not aware of trusted
227	certificates. To include this CA into the
228	<filename>ca-bundle.crt</filename>,
229	<filename>email-ca-bundle.crt</filename>, or
230	<filename>objsign-ca-bundle.crt</filename> files
231	(the <application>GnuTLS</application> legacy bundles), it must have the
232	appropriate trust arguments.
233	</para>
234
235	<bridgehead renderas="sect3">Adding Additional CA Certificates</bridgehead>
236
237	<para>
238	The <filename class="directory">/etc/ssl/local</filename> directory
239	is available to add additional CA certificates to the system trust store.
240	This directory is also used to store certificates that were added to or
241	modified in the system trust store by <xref linkend="p11-kit"/> so that
242	trust values are maintained across upgrades. Files in this directory must
243	be in the <application>OpenSSL</application> trusted certificate format.
244	Certificates imported using the <command>trust</command> utility from
245	<xref linkend="p11-kit"/> will utilize the x509 Extended Key Usage values
246	to assign default trust values for the system anchors.
247	</para>
248
249	<para>If you need to override trust values, or otherwise need to create
250	an <application>OpenSSL</application> trusted certificate manually
251	from a regular PEM encoded file, you need to add trust arguments to the
252	<command>openssl</command> command, and create a new certificate. For
253	example, using the <ulink url="http://www.cacert.org/">CAcert</ulink>
254	roots, if you want to trust both for all three roles, the following
255	commands will create appropriate OpenSSL trusted certificates (run as
256	the <systemitem class="username">root</systemitem> user after <xref
257	linkend="wget"/> is installed):
258	</para>
259
260	<screen role="nodump"><userinput>wget http://www.cacert.org/certs/root.crt &&
261	wget http://www.cacert.org/certs/class3.crt &&
262	openssl x509 -in root.crt -text -fingerprint -setalias "CAcert Class 1 root" \
263	-addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
264	> /etc/ssl/local/CAcert_Class_1_root.pem &&
265	openssl x509 -in class3.crt -text -fingerprint -setalias "CAcert Class 3 root" \
266	-addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
267	> /etc/ssl/local/CAcert_Class_3_root.pem &&
268	/usr/sbin/make-ca -r</userinput></screen>
269
270	<bridgehead renderas="sect3">Overriding Mozilla Trust</bridgehead>
271
272	<para>
273	Occasionally, there may be instances where you don't agree with
274	Mozilla's inclusion of a particular certificate authority. If you'd like
275	to override the default trust of a particular CA, simply create a copy of
276	the existing certificate in <filename
277	class="directory">/etc/ssl/local</filename> with different trust
278	arguments. For example, if you'd like to distrust the
279	"Makebelieve_CA_Root" file, run the following commands:
280	</para>
281
282	<screen role="nodump"><userinput>openssl x509 -in /etc/ssl/certs/Makebelieve_CA_Root.pem \
283	-text \
284	-fingerprint \
285	-setalias "Disabled Makebelieve CA Root" \
286	-addreject serverAuth \
287	-addreject emailProtection \
288	-addreject codeSigning \
289	> /etc/ssl/local/Disabled_Makebelieve_CA_Root.pem &&
290	/usr/sbin/make-ca -r</userinput></screen>
291
292	</sect2>
293
294	<sect2 role="configuration" id="make-ca-python">
295	<title>Using make-ca with Python3</title>
296
297	<para>
298	When <application>Python3</application> was installed in LFS it included
299	the <application>pip3</application> module with vendored certificates
300	from the <application>Certifi</application> module. That was necessary,
301	but it means that whenever <command>pip3</command> is used it can reference
302	those certificates, primarily when creating a virtual environment or when
303	installing a module with all its wheel dependencies in one go.
304	</para>
305
306	<para>
307	It is generally considered that the System Administrator should be in
308	charge of which certificates are available. Now that <xref
309	linkend="make-ca"/> and <xref linkend="p11-kit"/> have been installed and
310	<application>make-ca</application> has been configured, it is possible to
311	make <command>pip3</command> use the system certificates.
312	</para>
313
314	<para>
315	The vendored certificates installed in LFS are a snapshot from when the
316	pulled-in version of <application>Certifi</application> was created. If
317	you regularly update the system certificates, the vendored version will
318	become out of date.
319	</para>
320
321	<para>
322	To use the system certificates in <application>Python3</application> you
323	should set <envar>_PIP_STANDALONE_CERT</envar> to point to them, e.g for
324	the <application>bash</application> shell:
325	</para>
326
327	<screen><userinput>export _PIP_STANDALONE_CERT=/etc/pki/tls/certs/ca-bundle.crt</userinput></screen>
328
329	<warning>
330	<para>
331	If you have created virtual environments, for example when testing modules,
332	and those include the <application>Requests</application> and
333	<application>Certifi</application> modules in <filename
334	class="directory">~/.local/lib/python3.11/</filename> then those local
335	modules will be used instead of the system certificates unless you
336	remove the local modules.
337	</para>
338	</warning>
339
340	<para>
341	To use the system certificates in <application>Python3</application> with
342	the BLFS profiles add the following variable to your system or personal
343	profiles:
344	</para>
345
346	<screen role="root"><userinput>mkdir -pv /etc/profile.d &&
347	cat > /etc/profile.d/pythoncerts.sh << "EOF"
348	<literal># Begin /etc/profile.d/pythoncerts.sh
349
350	export _PIP_STANDALONE_CERT=/etc/pki/tls/certs/ca-bundle.crt
351
352	# End /etc/profile.d/pythoncerts.sh</literal>
353	EOF</userinput></screen>
354
355	</sect2>
356
357	<sect2 role="content">
358	<title>Contents</title>
359
360	<segmentedlist>
361	<segtitle>Installed Programs</segtitle>
362	<segtitle>Installed Directories</segtitle>
363
364	<seglistitem>
365	<seg>make-ca</seg>
366	<seg>/etc/ssl/{certs,local} and
367	/etc/pki/{nssdb,anchors,tls/{certs,java}}</seg>
368	</seglistitem>
369	</segmentedlist>
370
371	<variablelist>
372	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
373	<?dbfo list-presentation="list"?>
374	<?dbhtml list-presentation="table"?>
375
376	<varlistentry id="make-ca-bin">
377	<term><command>make-ca</command></term>
378	<listitem>
379	<para>
380	is a shell script that adapts a current version of
381	<filename>certdata.txt</filename>, and prepares it for use
382	as the system trust store
383	</para>
384	<indexterm zone="make-ca make-ca">
385	<primary sortas="b-make-ca">make-ca</primary>
386	</indexterm>
387	</listitem>
388	</varlistentry>
389	</variablelist>
390
391	</sect2>
392
393	</sect1>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: