Context Navigation

-              r914049f6
+              r47274444
     <itemizedlist spacing="compact">
       <listitem>
+        <para>Download (HTTP): <ulink url="&make-ca-download;"/></para>
+      </listitem>
+      <listitem>
+        <para>Download size: &make-ca-size;</para>
+      </listitem>
+      <listitem>
+        <para>Download MD5 Sum: &make-ca-md5sum;</para>
+      </listitem>
+      <listitem>
+        <para>Estimated disk space required: &make-ca-buildsize;</para>
+      </listitem>
+      <listitem>
+        <para>Estimated build time: &make-ca-time;</para>
+        <para>
+          Download (HTTP): <ulink url="&make-ca-download;"/>
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Download size: &make-ca-size;
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Download MD5 Sum: &make-ca-md5sum;
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Estimated disk space required: &make-ca-buildsize;
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Estimated build time: &make-ca-time;
+        </para>
       </listitem>
     </itemizedlist>
 …
     <bridgehead renderas="sect4">Required</bridgehead>
+    <para role="required"><xref linkend="p11-kit"/> (required at runtime to
+    generate certificate stores from trust anchors)</para>
+    <para role="required">
+      <xref linkend="p11-kit"/> (required at runtime to
+      generate certificate stores from trust anchors)
+    </para>
     <!-- /usr/bin/trust is needed to extract the certs to /etc/ssl/certs -->
 …
     <title>Installation of make-ca</title>
+    <para>The <application>make-ca</application> script will download and
+    process the certificates included in the <filename>certdata.txt</filename>
+    file for use as trust anchors for the <xref linkend="p11-kit"/> trust
+    module. Additionally, it will generate system certificate stores used by
+    BLFS applications (if the recommended and optional applications are present
+    on the system). Any local certificates stored in
+    <filename>/etc/ssl/local</filename> will be imported to both the trust
+    anchors and the generated certificate stores (overriding Mozilla's
+    trust). Additionally, any modified trust values will be copied from the
+    trust anchors to <filename>/etc/ssl/local</filename> prior to any updates,
+    preserving custom trust values that differ from Mozilla when using the
+    <command>trust</command> utility from <application>p11-kit</application>
+    to operate on the trust store.</para>
+    <para>To install the various certificate stores, first install the
+    <application>make-ca</application> script into the correct location.
+    As the <systemitem class="username">root</systemitem> user:</para>
+    <para>
+      The <application>make-ca</application> script will download and process
+      the certificates included in the <filename>certdata.txt</filename> file
+      for use as trust anchors for the <xref linkend="p11-kit"/> trust module.
+      Additionally, it will generate system certificate stores used by BLFS
+      applications (if the recommended and optional applications are present
+      on the system). Any local certificates stored in
+      <filename>/etc/ssl/local</filename> will be imported to both the trust
+      anchors and the generated certificate stores (overriding Mozilla's
+      trust). Additionally, any modified trust values will be copied from the
+      trust anchors to <filename>/etc/ssl/local</filename> prior to any
+      updates, preserving custom trust values that differ from Mozilla when
+      using the <command>trust</command> utility from
+      <application>p11-kit</application> to operate on the trust store.
+    </para>
+    <para>
+      To install the various certificate stores, first install the
+      <application>make-ca</application> script into the correct location.
+      As the <systemitem class="username">root</systemitem> user:
+    </para>
 <screen role="root"><userinput>make install &amp;&amp;
 install -vdm755 /etc/ssl/local</userinput></screen>
+   <para>As the <systemitem class="username">root</systemitem> user, after
+   installing <xref linkend="p11-kit"/>, download the certificate source and
+   prepare for system use with the following command:</para>
+   <para>
+     As the <systemitem class="username">root</systemitem> user, after
+     installing <xref linkend="p11-kit"/>, download the certificate source and
+     prepare for system use with the following command:
+   </para>
     <note>
+      <para>If running the script a second time with the same version of
+      <filename>certdata.txt</filename>, for instance, to add additional stores
+      as the requisite software is installed, add the <parameter>-r</parameter>
+      switch to the command line. If packaging, run <command>make-ca
+      --help</command> to see all available command line options.</para>
+      <para>
+        If running the script a second time with the same version of
+        <filename>certdata.txt</filename>, for instance, to add additional
+        stores as the requisite software is installed, add the
+        <parameter>-r</parameter> switch to the command line. If packaging,
+        run <command>make-ca --help</command> to see all available command
+        line options.
+      </para>
     </note>
 <screen role="root"><userinput>/usr/sbin/make-ca -g</userinput></screen>
+    <!-- Remove at 8.5 or 9.0 -->
+<!--    <para>Previous versions of BLFS used the path
+    <filename>/etc/ssl/ca-bundle.crt</filename> for the
+    <xref linkend="gnutls"/> certificate store. If software is still installed
+    that references this file, create a compatibility symlink for the old
+    location as the <systemitem class="username">root</systemitem> user:</para>
+<screen role="nodump"><userinput>ln -sfv /etc/pki/tls/certs/ca-bundle.crt /etc/ssl/ca-bundle.crt</userinput></screen>
+   It's after 9.0 -->
+    <para>You should periodically update the store with the above command,
+    either manually, or via a <phrase revision="sysv">cron job.</phrase>
+    <phrase revision="systemd">systemd timer. A timer is installed at
+    <filename>/usr/lib/systemd/system/update-pki.timer</filename> that, if
+    enabled, will check for updates weekly. </phrase><phrase revision="sysv">If
+    you've installed <xref linkend="fcron"/> and completed the section on
+    periodic jobs, execute</phrase><phrase revision="systemd">Execute</phrase>
+    the following commands, as the
+    <systemitem class="username">root</systemitem> user, to
+    <phrase revision="sysv">create a weekly cron job:</phrase>
+    <phrase revision="systemd">enable the systemd timer:</phrase>
+    <para>
+      You should periodically update the store with the above command,
+      either manually, or via a <phrase revision="sysv">cron job.</phrase>
+      <phrase revision="systemd">systemd timer. A timer is installed at
+      <filename>/usr/lib/systemd/system/update-pki.timer</filename> that, if
+      enabled, will check for updates weekly.</phrase><phrase
+      revision="sysv">If you've installed <xref linkend="fcron"/> and
+      completed the section on periodic jobs, execute</phrase><phrase
+      revision="systemd">Execute</phrase> the following commands, as the
+      <systemitem class="username">root</systemitem> user, to <phrase
+      revision="sysv">create a weekly cron job:</phrase><phrase
+      revision="systemd">enable the systemd timer:</phrase>
     </para>
 …
     <title>Configuring make-ca</title>
+    <para>For most users, no additional configuration is necessary, however,
+    the default <filename>certdata.txt</filename> file provided by make-ca
+    is obtained from the mozilla-release branch, and is modified to provide a
+    Mercurial revision. This will be the correct version for most systems.
+    There are several other variants of the file available for use that might
+    be preferred for one reason or another, including the files shipped with
+    Mozilla products in this book. RedHat and OpenSUSE, for instance, use the
+    version included in <xref linkend="nss"/>. Additional upstream downloads
+    are available at the links included in
+    <filename>/etc/make-ca.conf.dist</filename>. Simply copy the file to
+    <filename>/etc/make-ca.conf</filename> and edit as appropriate.</para>
+    <para>
+      For most users, no additional configuration is necessary, however,
+      the default <filename>certdata.txt</filename> file provided by make-ca
+      is obtained from the mozilla-release branch, and is modified to provide a
+      Mercurial revision. This will be the correct version for most systems.
+      There are several other variants of the file available for use that might
+      be preferred for one reason or another, including the files shipped with
+      Mozilla products in this book. RedHat and OpenSUSE, for instance, use the
+      version included in <xref linkend="nss"/>. Additional upstream downloads
+      are available at the links included in
+      <filename>/etc/make-ca.conf.dist</filename>. Simply copy the file to
+      <filename>/etc/make-ca.conf</filename> and edit as appropriate.
+    </para>
     <indexterm zone="make-ca make-ca-config">
 …
     <bridgehead renderas="sect3">About Trust Arguments</bridgehead>
+    <para>There are three trust types that are recognized by the
+    <application>make-ca</application> script, SSL/TLS, S/Mime, and code
+    signing. For <application>OpenSSL</application>, these are
+    <parameter>serverAuth</parameter>, <parameter>emailProtection</parameter>,
+    and <parameter>codeSigning</parameter> respectively. If one of the three
+    trust arguments is omitted, the certificate is neither trusted, nor
+    rejected for that role. Clients that use <application>OpenSSL</application>
+    or <application>NSS</application> encountering this certificate will
+    present a warning to the user. Clients using
+    <application>GnuTLS</application> without
+    <application>p11-kit</application> support are not aware of trusted
+    certificates. To include this CA into the
+    <filename>ca-bundle.crt</filename>,
+    <filename>email-ca-bundle.crt</filename>, or
+    <filename>objsign-ca-bundle.crt</filename> files
+    (the <application>GnuTLS</application> legacy bundles), it must have the
+    appropriate trust arguments.</para>
+    <para>
+      There are three trust types that are recognized by the
+      <application>make-ca</application> script, SSL/TLS, S/Mime, and code
+      signing. For <application>OpenSSL</application>, these are
+      <parameter>serverAuth</parameter>,
+      <parameter>emailProtection</parameter>, and
+      <parameter>codeSigning</parameter> respectively. If one of the three
+      trust arguments is omitted, the certificate is neither trusted, nor
+      rejected for that role. Clients that use
+      <application>OpenSSL</application> or <application>NSS</application>
+      encountering this certificate will present a warning to the user.
+      Clients using
+      <application>GnuTLS</application> without
+      <application>p11-kit</application> support are not aware of trusted
+      certificates. To include this CA into the
+      <filename>ca-bundle.crt</filename>,
+      <filename>email-ca-bundle.crt</filename>, or
+      <filename>objsign-ca-bundle.crt</filename> files
+      (the <application>GnuTLS</application> legacy bundles), it must have the
+      appropriate trust arguments.
+    </para>
     <bridgehead renderas="sect3">Adding Additional CA Certificates</bridgehead>
+    <para>The <filename class="directory">/etc/ssl/local</filename> directory
+    is available to add additional CA certificates to the system. For instance,
+    you might need to add an organization or government CA certificate.
+    Files in this directory must be in the <application>OpenSSL</application>
+    trusted certificate format. To create an <application>OpenSSL</application>
+    trusted certificate from a regular PEM encoded file, you need to add trust
+    arguments to the <command>openssl</command> command, and create a new
+    certificate. For example, using the
+    <ulink url="http://www.cacert.org/">CAcert</ulink> roots, if you want to
+    trust both for all three roles, the following commands will create
+    appropriate OpenSSL trusted certificates (run as the
+    <systemitem class="username">root</systemitem> user after
+    <xref linkend="wget"/> is installed):</para>
+    <para>
+      The <filename class="directory">/etc/ssl/local</filename> directory
+      is available to add additional CA certificates to the system. For
+      instance, you might need to add an organization or government CA
+      certificate. Files in this directory must be in the
+      <application>OpenSSL</application> trusted certificate format. To
+      create an <application>OpenSSL</application> trusted certificate from
+      a regular PEM encoded file, you need to add trust arguments to the
+      <command>openssl</command> command, and create a new certificate. For
+      example, using the <ulink url="http://www.cacert.org/">CAcert</ulink>
+      roots, if you want to trust both for all three roles, the following
+      commands will create appropriate OpenSSL trusted certificates (run as
+      the <systemitem class="username">root</systemitem> user after <xref
+      linkend="wget"/> is installed):
+    </para>
 <screen role="nodump"><userinput>wget http://www.cacert.org/certs/root.crt &amp;&amp;
 …
     <bridgehead renderas="sect3">Overriding Mozilla Trust</bridgehead>
+    <para>Occasionally, there may be instances where you don't agree with
+    Mozilla's inclusion of a particular certificate authority. If you'd like
+    to override the default trust of a particular CA, simply create a copy of
+    the existing certificate in
+    <filename class="directory">/etc/ssl/local</filename> with different trust
+    arguments. For example, if you'd like to distrust the "Makebelieve_CA_Root"
+    file, run the following commands:</para>
+    <para>
+      Occasionally, there may be instances where you don't agree with
+      Mozilla's inclusion of a particular certificate authority. If you'd like
+      to override the default trust of a particular CA, simply create a copy of
+      the existing certificate in <filename
+      class="directory">/etc/ssl/local</filename> with different trust
+      arguments. For example, if you'd like to distrust the
+      "Makebelieve_CA_Root" file, run the following commands:
+    </para>
 <screen role="nodump"><userinput>openssl x509 -in /etc/ssl/certs/Makebelieve_CA_Root.pem \
 …
         <term><command>make-ca</command></term>
         <listitem>
+          <para>is a shell script that adapts a current version of
+          <filename>certdata.txt</filename>, and prepares it for use
+          as the system trust store.</para>
+          <para>
+            is a shell script that adapts a current version of
+            <filename>certdata.txt</filename>, and prepares it for use
+            as the system trust store.
+          </para>
           <indexterm zone="make-ca make-ca">
             <primary sortas="b-make-ca">make-ca</primary>

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 47274444 for postlfs/security/make-ca.xml

Legend:

postlfs/security/make-ca.xml

Download in other formats: