1 | <?xml version="1.0" encoding="ISO-8859-1"?>
|
---|
2 | <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
---|
3 | "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
---|
4 | <!ENTITY % general-entities SYSTEM "../../general.ent">
|
---|
5 | %general-entities;
|
---|
6 | ]>
|
---|
7 |
|
---|
8 | <sect1 id="rootcerts" xreflabel="Root Certificates">
|
---|
9 | <?dbhtml filename="rootcerts.html"?>
|
---|
10 |
|
---|
11 | <sect1info>
|
---|
12 | <othername>$LastChangedBy$</othername>
|
---|
13 | <date>$Date$</date>
|
---|
14 | </sect1info>
|
---|
15 |
|
---|
16 | <title>Root Certificates</title>
|
---|
17 |
|
---|
18 | <indexterm zone="rootcerts">
|
---|
19 | <primary sortas="e-cabundle">ca-bundle.crt</primary>
|
---|
20 | </indexterm>
|
---|
21 |
|
---|
22 | <para>The <filename>ca-bundle.crt</filename> file contains public
|
---|
23 | certificates from trusted root certificate authorities (CAs). CAs guarantee
|
---|
24 | the authenticity of a host by issuing certificates that contain both the name
|
---|
25 | of the host and the owner's name, and are signed using the CA's private key.
|
---|
26 | In turn, a matching public key is provided by the CA that can be used to
|
---|
27 | verify the authenticity of any SSL certificate that is signed by that CA. The
|
---|
28 | list of CA certificates (with public keys) included in ca-bundle.crt
|
---|
29 | are provided by mozilla.org, and undergo an annual investigation and
|
---|
30 | auditing process, so that they can be trusted for general use.</para>
|
---|
31 |
|
---|
32 | <para>The list of certificates is stored in PEM format, and is generated from
|
---|
33 | a DER formatted file, <filename>certdata.txt</filename>, that ships with
|
---|
34 | Mozilla products. A <ulink
|
---|
35 | url="http://cvs.fedoraproject.org/viewvc/rpms/ca-certificates/devel/mkcabundle.pl?view=co">
|
---|
36 | script</ulink> provided by RedHat converts the upstream
|
---|
37 | <filename>certdata.txt</filename> from DER to PEM format, so that it is
|
---|
38 | usable by applications that utilize SSL/TLS encryption. Additional trusted
|
---|
39 | CAs can be added to the <filename>ca-bundle.crt</filename> by appending the
|
---|
40 | CA's public certificate (in PEM format) to the file.</para>
|
---|
41 |
|
---|
42 | <para>Download a recent version of <ulink
|
---|
43 | url="&files-anduin;/ca-bundle.crt">ca-bundle.crt</ulink> and place it into
|
---|
44 | the <filename class="directory">/etc/ssl</filename> directory and make
|
---|
45 | the file world readable by issuing the following commands as the
|
---|
46 | <systemitem class="username">root</systemitem> user:</para>
|
---|
47 |
|
---|
48 | <screen role="root"><userinput>install -v -d /etc/ssl &&
|
---|
49 | install -m644 ca-bundle.crt /etc/ssl</userinput></screen>
|
---|
50 |
|
---|
51 | </sect1>
|
---|