Changeset 120b315


Ignore:
Timestamp:
10/07/2017 03:31:58 AM (4 years ago)
Author:
DJ Lucas <dj@…>
Branches:
10.0, 10.1, 11.0, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, ken/refactor-virt, lazarus, perl-modules, qt5new, trunk, upgradedb, xry111/git-date, xry111/git-date-for-trunk, xry111/git-date-test
Children:
c8b4decb
Parents:
b93e2bde
Message:

Update to make-ca-0.5.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@19295 af4574ff-66df-0310-9fd7-8a98e5e911e0

Files:
6 edited

Legend:

Unmodified
Added
Removed
  • general.ent

    rb93e2bde r120b315  
    11<!-- $LastChangedBy$ $Date$ -->
    22
    3 <!ENTITY day          "06">                   <!-- Always 2 digits -->
     3<!ENTITY day          "07">                   <!-- Always 2 digits -->
    44<!ENTITY month        "10">                   <!-- Always 2 digits -->
    55<!ENTITY year         "2017">
     
    77<!ENTITY copyholder   "The BLFS Development Team">
    88<!ENTITY version      "&year;-&month;-&day;">
    9 <!ENTITY releasedate  "October 6th, &year;">
     9<!ENTITY releasedate  "October 7th, &year;">
    1010<!ENTITY pubdate      "&year;-&month;-&day;"> <!-- metadata req. by TLDP -->
    1111<!ENTITY blfs-version "svn">                  <!-- svn|[release #] -->
  • general/prog/openjdk.xml

    rb93e2bde r120b315  
    511511      <filename>cacerts</filename> file, <filename class="directory">
    512512      /etc/ssl/java/cacerts</filename> on a BLFS system. Otherwise, an empty
    513       one is created. You can use the <command>make-ca.sh --force</command>
    514       command to generate it, once you have installed the Java binaries.
     513      one is created. You can use the
     514      <command>/usr/sbin/make-ca --force</command> command to generate it, once
     515      you have installed the Java binaries.
    515516    </para>
    516517
  • introduction/welcome/changelog.xml

    rb93e2bde r120b315  
    4343-->
    4444    <listitem>
     45      <para>October 7th, 2017</para>
     46      <itemizedlist>
     47        <listitem>
     48          <para>[dj] - Update to make-ca-0.5.</para>
     49        </listitem>
     50      </itemizedlist>
     51    </listitem>
     52
     53    <listitem>
    4554      <para>Octobber 6th, 2017</para>
    4655      <itemizedlist>
  • packages.ent

    rb93e2bde r120b315  
    2525<!ENTITY linux-pam-docs-version       "1.2.0">
    2626<!ENTITY libpwquality-version         "1.4.0">
    27 <!ENTITY make-ca-version              "20170514">
     27<!ENTITY make-ca-version              "0.5">
    2828<!ENTITY mitkrb-major-version         "1.15">
    2929<!ENTITY mitkrb-version               "1.15.2">
  • postlfs/security/cacerts.xml

    rb93e2bde r120b315  
    77  <!ENTITY certhost              "https://hg.mozilla.org/">
    88  <!ENTITY certpath              "/lib/ckfw/builtins/certdata.txt">
    9   <!ENTITY ca-bundle-download    "&sources-anduin-http;/other/certdata.txt">
    10   <!ENTITY ca-bundle-size        "1.6 MB">
    119  <!ENTITY cacerts-buildsize     "6.5 MB (with all runtime deps)">
    1210  <!ENTITY cacerts-time          "0.2 SBU (with all runtime deps)">
    1311
    14   <!ENTITY make-ca-download      "&sources-anduin-http;/other/make-ca.sh-&make-ca-version;">
    15   <!ENTITY make-ca-size          "24 KB">
    16   <!ENTITY make-ca-md5sum        "a21a04d6ff5c4645c748220dbaa9f221">
     12  <!ENTITY make-ca-download      "https://github.com/djlucas/make-ca/archive/v&make-ca-version;/make-ca-&make-ca-version;.tar.gz">
     13  <!ENTITY make-ca-size          "32 KB">
     14  <!ENTITY make-ca-md5sum        "25033ded9dd0979226b8f3fd2792bd3a">
    1715]>
    1816
     
    7371    </itemizedlist>
    7472
    75 
    76     <bridgehead renderas="sect3">Additional Downloads</bridgehead>
    77     <itemizedlist spacing="compact">
    78       <listitem>
    79         <para>
    80           CA Certificates
    81           <ulink url="&ca-bundle-download;"/>
    82         </para>
    83       </listitem>
    84     </itemizedlist>
    85 
    8673    <bridgehead renderas="sect3">Certificate Authority Certificates Dependencies</bridgehead>
    8774
     
    10491    <title>Installation of Certificate Authority Certificates</title>
    10592
    106     <para>The <application>make-ca.sh</application> script will process the
    107     certificates included in the <filename>certdata.txt</filename> file
    108     for use in multiple certificate stores (if the associated applications are
    109     present on the system). Additionally, any local certificates stored in
     93    <para>The <application>make-ca</application> script will download and
     94    process the certificates included in the <filename>certdata.txt</filename>
     95    file for use in multiple certificate stores (if the associated applications
     96    are present on the system). Additionally, any local certificates stored in
    11097    <filename>/etc/ssl/local</filename> will be imported to the certificate
    11198    stores. Certificates in this directory should be stored as PEM encoded
     
    113100
    114101    <para>To create an <application>OpenSSL</application> trusted certificate
    115     from a regular PEM encoded file, provided by a CA not included in Mozilla's
    116     certificate distribution, you need to add trust arguments to the
     102    from a regular PEM encoded file, you need to add trust arguments to the
    117103    <command>openssl</command> command, and create a new certificate. There are
    118104    three trust types that are recognized by the
    119     <application>make-ca.sh</application> script, SSL/TLS, S/Mime, and code
     105    <application>make-ca</application> script, SSL/TLS, S/Mime, and code
    120106    signing. For example, using the
    121     <ulink url="http://www.cacert.org/">CAcert</ulink> root, if you want it to
    122     be trusted for all three roles, the following commands will create an
    123     appropriate OpenSSL trusted certificate:</para>
     107    <ulink url="http://www.cacert.org/">CAcert</ulink> roots, if you want to
     108    trust both for all three roles, the following commands will create
     109    appropriate OpenSSL trusted certificates:</para>
    124110
    125111<screen role="root"><userinput>install -vdm755 /etc/ssl/local &amp;&amp;
    126112wget http://www.cacert.org/certs/root.crt &amp;&amp;
     113wget http://www.cacert.org/certs/class3.crt &amp;&amp;
    127114openssl x509 -in root.crt -text -fingerprint -setalias "CAcert Class 1 root" \
    128115        -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
    129         > /etc/ssl/local/CAcert_Class_1_root.pem</userinput></screen>
     116        > /etc/ssl/local/CAcert_Class_1_root.pem &amp;&amp;
     117openssl x509 -in class3.crt -text -fingerprint -setalias "CAcert Class 3 root" \
     118        -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
     119        > /etc/ssl/local/CAcert_Class_3_root.pem</userinput></screen>
    130120
    131121    <para>If one of the three trust arguments is omitted, the certificate is
     
    142132
    143133    <para>To install the various certificate stores, first install the
    144     <application>make-ca.sh</application> script into the correct location.
     134    <application>make-ca</application> script into the correct location.
    145135    As the <systemitem class="username">root</systemitem> user:</para>
    146136
    147 <screen role="root"><userinput>install -vm755 make-ca.sh-&make-ca-version; /usr/sbin/make-ca.sh</userinput></screen>
    148 
    149    <para>As the <systemitem class="username">root</systemitem> user, make sure
    150    that certdata.txt is in the current directory, and update the certificate
    151    stores with the following command:</para>
     137<screen role="root"><userinput>make install</userinput></screen>
     138
     139   <para>As the <systemitem class="username">root</systemitem> user, download
     140   and update the certificate stores with the following command:</para>
    152141
    153142    <note>
     
    155144      <filename>certdata.txt</filename>, for instance, to add additional stores
    156145      as the requisite software is installed, add the <parameter>-f</parameter>
    157       switch to the command line. If packaging, run <command>make-ca.sh
     146      switch to the command line. If packaging, run <command>make-ca
    158147      --help</command> to see all available command line options.</para>
    159148    </note>
    160149
    161 <screen role="root"><userinput>/usr/sbin/make-ca.sh</userinput></screen>
    162 
    163     <para>You should periodically download a copy of
    164     <filename>certdata.txt</filename> and run the
    165     <application>make-ca.sh</application> script (as the
    166     <systemitem class="username">root</systemitem> user), or as part of a
    167     monthly <application>cron</application> job to ensure that you have the
    168     latest available version of the certificates.</para>
    169 
    170     <para>The <filename>certdata.txt</filename> file provided by BLFS is
    171     obtained from the mozilla-release branch, and is modified to provide a
    172     simple dated revision. This will be the correct version for most
     150<screen role="root"><userinput>/usr/sbin/make-ca -g</userinput></screen>
     151
     152    <para>You should periodically update the store with the above command
     153    either manually, or via a <phrase revision="sysv">cron job.</phrase>
     154    <phrase revision="systemd">systemd timer. A timer is installed at
     155    <filename>/etc/systemd/system/update-pki.timer</filename> that, if enabled,
     156    will check for updates weekly.</phrase></para>
     157
     158    <para>The default <filename>certdata.txt</filename> file provided by make-ca
     159    is obtained from the mozilla-release branch, and is modified to provide a
     160    Mercurial revision. This will be the correct version for most
    173161    systems. There are, however, several other variants of the file available
    174162    for use that might be preferred for one reason or another, including the
     
    216204
    217205      <seglistitem>
    218         <seg>make-ca.sh</seg>
     206        <seg>make-ca</seg>
    219207        <seg>None</seg>
    220208        <seg>/etc/ssl/{certs,java,local} and /etc/pki/{nssdb,anchors}</seg>
     
    228216
    229217      <varlistentry id="make-ca">
    230         <term><command>make-ca.sh</command></term>
     218        <term><command>make-ca</command></term>
    231219        <listitem>
    232220          <para>is a shell script that adapts a current version of
  • postlfs/security/nss.xml

    rb93e2bde r120b315  
    229229    <para>Additionally, for dependent applications that do not use the internal
    230230    database (<filename>/usr/lib/libnssckbi.so</filename>), the
    231     <filename>make-ca.sh</filename> script, included on the
     231    <filename>/usr/sbin/make-ca</filename> script, included on the
    232232    <xref linkend="cacerts"/> page, will generate a system wide NSS DB.</para>
    233233
Note: See TracChangeset for help on using the changeset viewer.