Changeset 120b315
- Timestamp:
- 10/07/2017 03:31:58 AM (7 years ago)
- Branches:
- 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, lazarus, lxqt, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal
- Children:
- c8b4decb
- Parents:
- b93e2bde
- Files:
-
- 6 edited
-
general.ent (modified) (2 diffs)
-
general/prog/openjdk.xml (modified) (1 diff)
-
introduction/welcome/changelog.xml (modified) (1 diff)
-
packages.ent (modified) (1 diff)
-
postlfs/security/cacerts.xml (modified) (8 diffs)
-
postlfs/security/nss.xml (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
general.ent
rb93e2bde r120b315 1 1 <!-- $LastChangedBy$ $Date$ --> 2 2 3 <!ENTITY day "0 6"> <!-- Always 2 digits -->3 <!ENTITY day "07"> <!-- Always 2 digits --> 4 4 <!ENTITY month "10"> <!-- Always 2 digits --> 5 5 <!ENTITY year "2017"> … … 7 7 <!ENTITY copyholder "The BLFS Development Team"> 8 8 <!ENTITY version "&year;-&month;-&day;"> 9 <!ENTITY releasedate "October 6th, &year;">9 <!ENTITY releasedate "October 7th, &year;"> 10 10 <!ENTITY pubdate "&year;-&month;-&day;"> <!-- metadata req. by TLDP --> 11 11 <!ENTITY blfs-version "svn"> <!-- svn|[release #] --> -
general/prog/openjdk.xml
rb93e2bde r120b315 511 511 <filename>cacerts</filename> file, <filename class="directory"> 512 512 /etc/ssl/java/cacerts</filename> on a BLFS system. Otherwise, an empty 513 one is created. You can use the <command>make-ca.sh --force</command> 514 command to generate it, once you have installed the Java binaries. 513 one is created. You can use the 514 <command>/usr/sbin/make-ca --force</command> command to generate it, once 515 you have installed the Java binaries. 515 516 </para> 516 517 -
introduction/welcome/changelog.xml
rb93e2bde r120b315 43 43 --> 44 44 <listitem> 45 <para>October 7th, 2017</para> 46 <itemizedlist> 47 <listitem> 48 <para>[dj] - Update to make-ca-0.5.</para> 49 </listitem> 50 </itemizedlist> 51 </listitem> 52 53 <listitem> 45 54 <para>Octobber 6th, 2017</para> 46 55 <itemizedlist> -
packages.ent
rb93e2bde r120b315 25 25 <!ENTITY linux-pam-docs-version "1.2.0"> 26 26 <!ENTITY libpwquality-version "1.4.0"> 27 <!ENTITY make-ca-version " 20170514">27 <!ENTITY make-ca-version "0.5"> 28 28 <!ENTITY mitkrb-major-version "1.15"> 29 29 <!ENTITY mitkrb-version "1.15.2"> -
postlfs/security/cacerts.xml
rb93e2bde r120b315 7 7 <!ENTITY certhost "https://hg.mozilla.org/"> 8 8 <!ENTITY certpath "/lib/ckfw/builtins/certdata.txt"> 9 <!ENTITY ca-bundle-download "&sources-anduin-http;/other/certdata.txt">10 <!ENTITY ca-bundle-size "1.6 MB">11 9 <!ENTITY cacerts-buildsize "6.5 MB (with all runtime deps)"> 12 10 <!ENTITY cacerts-time "0.2 SBU (with all runtime deps)"> 13 11 14 <!ENTITY make-ca-download " &sources-anduin-http;/other/make-ca.sh-&make-ca-version;">15 <!ENTITY make-ca-size " 24KB">16 <!ENTITY make-ca-md5sum " a21a04d6ff5c4645c748220dbaa9f221">12 <!ENTITY make-ca-download "https://github.com/djlucas/make-ca/archive/v&make-ca-version;/make-ca-&make-ca-version;.tar.gz"> 13 <!ENTITY make-ca-size "32 KB"> 14 <!ENTITY make-ca-md5sum "25033ded9dd0979226b8f3fd2792bd3a"> 17 15 ]> 18 16 … … 73 71 </itemizedlist> 74 72 75 76 <bridgehead renderas="sect3">Additional Downloads</bridgehead>77 <itemizedlist spacing="compact">78 <listitem>79 <para>80 CA Certificates81 <ulink url="&ca-bundle-download;"/>82 </para>83 </listitem>84 </itemizedlist>85 86 73 <bridgehead renderas="sect3">Certificate Authority Certificates Dependencies</bridgehead> 87 74 … … 104 91 <title>Installation of Certificate Authority Certificates</title> 105 92 106 <para>The <application>make-ca .sh</application> script will process the107 certificates included in the <filename>certdata.txt</filename> file108 f or use in multiple certificate stores (if the associated applications are109 present on the system). Additionally, any local certificates stored in93 <para>The <application>make-ca</application> script will download and 94 process the certificates included in the <filename>certdata.txt</filename> 95 file for use in multiple certificate stores (if the associated applications 96 are present on the system). Additionally, any local certificates stored in 110 97 <filename>/etc/ssl/local</filename> will be imported to the certificate 111 98 stores. Certificates in this directory should be stored as PEM encoded … … 113 100 114 101 <para>To create an <application>OpenSSL</application> trusted certificate 115 from a regular PEM encoded file, provided by a CA not included in Mozilla's 116 certificate distribution, you need to add trust arguments to the 102 from a regular PEM encoded file, you need to add trust arguments to the 117 103 <command>openssl</command> command, and create a new certificate. There are 118 104 three trust types that are recognized by the 119 <application>make-ca .sh</application> script, SSL/TLS, S/Mime, and code105 <application>make-ca</application> script, SSL/TLS, S/Mime, and code 120 106 signing. For example, using the 121 <ulink url="http://www.cacert.org/">CAcert</ulink> root , if you want it to122 be trusted for all three roles, the following commands will create an123 appropriate OpenSSL trusted certificate :</para>107 <ulink url="http://www.cacert.org/">CAcert</ulink> roots, if you want to 108 trust both for all three roles, the following commands will create 109 appropriate OpenSSL trusted certificates:</para> 124 110 125 111 <screen role="root"><userinput>install -vdm755 /etc/ssl/local && 126 112 wget http://www.cacert.org/certs/root.crt && 113 wget http://www.cacert.org/certs/class3.crt && 127 114 openssl x509 -in root.crt -text -fingerprint -setalias "CAcert Class 1 root" \ 128 115 -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \ 129 > /etc/ssl/local/CAcert_Class_1_root.pem</userinput></screen> 116 > /etc/ssl/local/CAcert_Class_1_root.pem && 117 openssl x509 -in class3.crt -text -fingerprint -setalias "CAcert Class 3 root" \ 118 -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \ 119 > /etc/ssl/local/CAcert_Class_3_root.pem</userinput></screen> 130 120 131 121 <para>If one of the three trust arguments is omitted, the certificate is … … 142 132 143 133 <para>To install the various certificate stores, first install the 144 <application>make-ca .sh</application> script into the correct location.134 <application>make-ca</application> script into the correct location. 145 135 As the <systemitem class="username">root</systemitem> user:</para> 146 136 147 <screen role="root"><userinput>install -vm755 make-ca.sh-&make-ca-version; /usr/sbin/make-ca.sh</userinput></screen> 148 149 <para>As the <systemitem class="username">root</systemitem> user, make sure 150 that certdata.txt is in the current directory, and update the certificate 151 stores with the following command:</para> 137 <screen role="root"><userinput>make install</userinput></screen> 138 139 <para>As the <systemitem class="username">root</systemitem> user, download 140 and update the certificate stores with the following command:</para> 152 141 153 142 <note> … … 155 144 <filename>certdata.txt</filename>, for instance, to add additional stores 156 145 as the requisite software is installed, add the <parameter>-f</parameter> 157 switch to the command line. If packaging, run <command>make-ca .sh146 switch to the command line. If packaging, run <command>make-ca 158 147 --help</command> to see all available command line options.</para> 159 148 </note> 160 149 161 <screen role="root"><userinput>/usr/sbin/make-ca.sh</userinput></screen> 162 163 <para>You should periodically download a copy of 164 <filename>certdata.txt</filename> and run the 165 <application>make-ca.sh</application> script (as the 166 <systemitem class="username">root</systemitem> user), or as part of a 167 monthly <application>cron</application> job to ensure that you have the 168 latest available version of the certificates.</para> 169 170 <para>The <filename>certdata.txt</filename> file provided by BLFS is 171 obtained from the mozilla-release branch, and is modified to provide a 172 simple dated revision. This will be the correct version for most 150 <screen role="root"><userinput>/usr/sbin/make-ca -g</userinput></screen> 151 152 <para>You should periodically update the store with the above command 153 either manually, or via a <phrase revision="sysv">cron job.</phrase> 154 <phrase revision="systemd">systemd timer. A timer is installed at 155 <filename>/etc/systemd/system/update-pki.timer</filename> that, if enabled, 156 will check for updates weekly.</phrase></para> 157 158 <para>The default <filename>certdata.txt</filename> file provided by make-ca 159 is obtained from the mozilla-release branch, and is modified to provide a 160 Mercurial revision. This will be the correct version for most 173 161 systems. There are, however, several other variants of the file available 174 162 for use that might be preferred for one reason or another, including the … … 216 204 217 205 <seglistitem> 218 <seg>make-ca .sh</seg>206 <seg>make-ca</seg> 219 207 <seg>None</seg> 220 208 <seg>/etc/ssl/{certs,java,local} and /etc/pki/{nssdb,anchors}</seg> … … 228 216 229 217 <varlistentry id="make-ca"> 230 <term><command>make-ca .sh</command></term>218 <term><command>make-ca</command></term> 231 219 <listitem> 232 220 <para>is a shell script that adapts a current version of -
postlfs/security/nss.xml
rb93e2bde r120b315 229 229 <para>Additionally, for dependent applications that do not use the internal 230 230 database (<filename>/usr/lib/libnssckbi.so</filename>), the 231 <filename> make-ca.sh</filename> script, included on the231 <filename>/usr/sbin/make-ca</filename> script, included on the 232 232 <xref linkend="cacerts"/> page, will generate a system wide NSS DB.</para> 233 233
Note:
See TracChangeset
for help on using the changeset viewer.
