Index: general.ent
===================================================================
--- general.ent (revision fe9bce848d8f4801dc49f103f1782b8459ac2bf3)
+++ general.ent (revision 462878e4de736f6422bbf073b6bba5db08f78672)
@@ -4,11 +4,11 @@
-->
-
-
+
+
-
+
@@ -61,4 +61,5 @@
+
Index: introduction/welcome/changelog.xml
===================================================================
--- introduction/welcome/changelog.xml (revision fe9bce848d8f4801dc49f103f1782b8459ac2bf3)
+++ introduction/welcome/changelog.xml (revision 462878e4de736f6422bbf073b6bba5db08f78672)
@@ -42,4 +42,14 @@
-->
+ April 9th, 2009
+
+
+ [dj] - Removed Root Certificates page and added ca-bundle
+ instructions to OpenSSL page.
+
+
+
+
+
March 26th, 2009
Index: postlfs/security/openssl.xml
===================================================================
--- postlfs/security/openssl.xml (revision fe9bce848d8f4801dc49f103f1782b8459ac2bf3)
+++ postlfs/security/openssl.xml (revision 462878e4de736f6422bbf073b6bba5db08f78672)
@@ -9,6 +9,9 @@
-
-
+
+
+
+
+
]>
@@ -51,4 +54,13 @@
+ CA Bundle Download:
+
+
+ CA Bundle size: &ca-bundle-size;
+
+
+ CA Bundle MD5 sum: &ca-bundle-md5sum;
+
+
Estimated disk space required: &openssl-buildsize;
@@ -70,5 +82,5 @@
Recommended
(if you run the test suite
- during the build) and
+ during the build)
Optional
@@ -88,4 +100,5 @@
patch -Np1 -i ../openssl-&openssl-version;-fix_manpages-1.patch &&
+tar -vxf ../BLFS-ca-bundle-&ca-bundle-version;.tar.bz2 &&
./config --prefix=/usr \
--openssldir=/etc/ssl \
@@ -115,8 +128,22 @@
/usr/share/doc/openssl-&openssl-version;
+ While still the root user,
+ create a single file that contains all of the installed certificates:
+
+for pem in /etc/ssl/certs/*.pem
+do
+ cat $pem
+ echo ""
+done > /etc/ssl/ca-bundle.crt
+
Command Explanations
+
+
+ tar -vxf ../BLFS-ca-bundle-&ca-bundle-version;.tar.bz2:
+ OpenSSL no longer includes any root certificates. This package adds root
+ certificates as provided by mozilla.org.
shared: This parameter forces the creation of
@@ -148,8 +175,15 @@
use of libz.so for compression/decompression. -->
- cp -v -r certs /etc/ssl: This package no longer
- ships CA certificates. This commands installs documentation and sample
- certificates as examples should one want to create/install their own
- certificates.
+ cp -v -r certs /etc/ssl: This installs both the
+ sample certificates and documentation included with OpenSSL, and the
+ certificates that were extrated from the BLFS-ca-bundle-&ca-bundle-version;
+ package.
+
+ for pem in /etc/ssl/certs/*.pem...: This group of
+ commands creates a single-file certificate bundle
+ (/etc/ssl/ca-bundle.crt) that is usable by many
+ other software packages. ca-bundle.crt should be
+ recreated anytime that a certificate is added to
+ /etc/ssl/certs.
Index: stlfs/security/rootcerts.xml
===================================================================
--- postlfs/security/rootcerts.xml (revision fe9bce848d8f4801dc49f103f1782b8459ac2bf3)
+++ (revision )
@@ -1,51 +1,0 @@
-
-
- %general-entities;
-]>
-
-
-
-
-
- $LastChangedBy$
- $Date$
-
-
- Root Certificates
-
-
- ca-bundle.crt
-
-
- The ca-bundle.crt file contains public
- certificates from trusted root certificate authorities (CAs). CAs guarantee
- the authenticity of a host by issuing certificates that contain both the name
- of the host and the owner's name, and are signed using the CA's private key.
- In turn, a matching public key is provided by the CA that can be used to
- verify the authenticity of any SSL certificate that is signed by that CA. The
- list of CA certificates (with public keys) included in ca-bundle.crt
- are provided by mozilla.org, and undergo an annual investigation and
- auditing process, so that they can be trusted for general use.
-
- The list of certificates is stored in PEM format, and is generated from
- a DER formatted file, certdata.txt, that ships with
- Mozilla products. A
- script provided by RedHat converts the upstream
- certdata.txt from DER to PEM format, so that it is
- usable by applications that utilize SSL/TLS encryption. Additional trusted
- CAs can be added to the ca-bundle.crt by appending the
- CA's public certificate (in PEM format) to the file.
-
- Download a recent version of ca-bundle.crt and place it into
- the /etc/ssl directory and make
- the file world readable by issuing the following commands as the
- root user:
-
-install -v -d /etc/ssl &&
-install -m644 ca-bundle.crt /etc/ssl
-
-
Index: postlfs/security/security.xml
===================================================================
--- postlfs/security/security.xml (revision fe9bce848d8f4801dc49f103f1782b8459ac2bf3)
+++ postlfs/security/security.xml (revision 462878e4de736f6422bbf073b6bba5db08f78672)
@@ -40,5 +40,4 @@
"signatures" and compares for files that have been changed.
-