Changeset 47274444 for postlfs/security/make-ca.xml
- Timestamp:
- 03/24/2020 07:19:44 PM (4 years ago)
- Branches:
- 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, lazarus, lxqt, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal
- Children:
- fa3edfef
- Parents:
- 914049f6
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
postlfs/security/make-ca.xml
r914049f6 r47274444 58 58 <itemizedlist spacing="compact"> 59 59 <listitem> 60 <para>Download (HTTP): <ulink url="&make-ca-download;"/></para> 61 </listitem> 62 <listitem> 63 <para>Download size: &make-ca-size;</para> 64 </listitem> 65 <listitem> 66 <para>Download MD5 Sum: &make-ca-md5sum;</para> 67 </listitem> 68 <listitem> 69 <para>Estimated disk space required: &make-ca-buildsize;</para> 70 </listitem> 71 <listitem> 72 <para>Estimated build time: &make-ca-time;</para> 60 <para> 61 Download (HTTP): <ulink url="&make-ca-download;"/> 62 </para> 63 </listitem> 64 <listitem> 65 <para> 66 Download size: &make-ca-size; 67 </para> 68 </listitem> 69 <listitem> 70 <para> 71 Download MD5 Sum: &make-ca-md5sum; 72 </para> 73 </listitem> 74 <listitem> 75 <para> 76 Estimated disk space required: &make-ca-buildsize; 77 </para> 78 </listitem> 79 <listitem> 80 <para> 81 Estimated build time: &make-ca-time; 82 </para> 73 83 </listitem> 74 84 </itemizedlist> … … 77 87 78 88 <bridgehead renderas="sect4">Required</bridgehead> 79 <para role="required"><xref linkend="p11-kit"/> (required at runtime to 80 generate certificate stores from trust anchors)</para> 89 <para role="required"> 90 <xref linkend="p11-kit"/> (required at runtime to 91 generate certificate stores from trust anchors) 92 </para> 81 93 <!-- /usr/bin/trust is needed to extract the certs to /etc/ssl/certs --> 82 94 … … 93 105 <title>Installation of make-ca</title> 94 106 95 <para>The <application>make-ca</application> script will download and 96 process the certificates included in the <filename>certdata.txt</filename> 97 file for use as trust anchors for the <xref linkend="p11-kit"/> trust 98 module. Additionally, it will generate system certificate stores used by 99 BLFS applications (if the recommended and optional applications are present 100 on the system). Any local certificates stored in 101 <filename>/etc/ssl/local</filename> will be imported to both the trust 102 anchors and the generated certificate stores (overriding Mozilla's 103 trust). Additionally, any modified trust values will be copied from the 104 trust anchors to <filename>/etc/ssl/local</filename> prior to any updates, 105 preserving custom trust values that differ from Mozilla when using the 106 <command>trust</command> utility from <application>p11-kit</application> 107 to operate on the trust store.</para> 108 109 <para>To install the various certificate stores, first install the 110 <application>make-ca</application> script into the correct location. 111 As the <systemitem class="username">root</systemitem> user:</para> 107 <para> 108 The <application>make-ca</application> script will download and process 109 the certificates included in the <filename>certdata.txt</filename> file 110 for use as trust anchors for the <xref linkend="p11-kit"/> trust module. 111 Additionally, it will generate system certificate stores used by BLFS 112 applications (if the recommended and optional applications are present 113 on the system). Any local certificates stored in 114 <filename>/etc/ssl/local</filename> will be imported to both the trust 115 anchors and the generated certificate stores (overriding Mozilla's 116 trust). Additionally, any modified trust values will be copied from the 117 trust anchors to <filename>/etc/ssl/local</filename> prior to any 118 updates, preserving custom trust values that differ from Mozilla when 119 using the <command>trust</command> utility from 120 <application>p11-kit</application> to operate on the trust store. 121 </para> 122 123 <para> 124 To install the various certificate stores, first install the 125 <application>make-ca</application> script into the correct location. 126 As the <systemitem class="username">root</systemitem> user: 127 </para> 112 128 113 129 <screen role="root"><userinput>make install && 114 130 install -vdm755 /etc/ssl/local</userinput></screen> 115 131 116 <para>As the <systemitem class="username">root</systemitem> user, after 117 installing <xref linkend="p11-kit"/>, download the certificate source and 118 prepare for system use with the following command:</para> 132 <para> 133 As the <systemitem class="username">root</systemitem> user, after 134 installing <xref linkend="p11-kit"/>, download the certificate source and 135 prepare for system use with the following command: 136 </para> 119 137 120 138 <note> 121 <para>If running the script a second time with the same version of 122 <filename>certdata.txt</filename>, for instance, to add additional stores 123 as the requisite software is installed, add the <parameter>-r</parameter> 124 switch to the command line. If packaging, run <command>make-ca 125 --help</command> to see all available command line options.</para> 139 <para> 140 If running the script a second time with the same version of 141 <filename>certdata.txt</filename>, for instance, to add additional 142 stores as the requisite software is installed, add the 143 <parameter>-r</parameter> switch to the command line. If packaging, 144 run <command>make-ca --help</command> to see all available command 145 line options. 146 </para> 126 147 </note> 127 148 128 149 <screen role="root"><userinput>/usr/sbin/make-ca -g</userinput></screen> 129 150 130 <!-- Remove at 8.5 or 9.0 --> 131 <!-- <para>Previous versions of BLFS used the path 132 <filename>/etc/ssl/ca-bundle.crt</filename> for the 133 <xref linkend="gnutls"/> certificate store. If software is still installed 134 that references this file, create a compatibility symlink for the old 135 location as the <systemitem class="username">root</systemitem> user:</para> 136 137 <screen role="nodump"><userinput>ln -sfv /etc/pki/tls/certs/ca-bundle.crt /etc/ssl/ca-bundle.crt</userinput></screen> 138 It's after 9.0 --> 139 140 <para>You should periodically update the store with the above command, 141 either manually, or via a <phrase revision="sysv">cron job.</phrase> 142 <phrase revision="systemd">systemd timer. A timer is installed at 143 <filename>/usr/lib/systemd/system/update-pki.timer</filename> that, if 144 enabled, will check for updates weekly. </phrase><phrase revision="sysv">If 145 you've installed <xref linkend="fcron"/> and completed the section on 146 periodic jobs, execute</phrase><phrase revision="systemd">Execute</phrase> 147 the following commands, as the 148 <systemitem class="username">root</systemitem> user, to 149 <phrase revision="sysv">create a weekly cron job:</phrase> 150 <phrase revision="systemd">enable the systemd timer:</phrase> 151 <para> 152 You should periodically update the store with the above command, 153 either manually, or via a <phrase revision="sysv">cron job.</phrase> 154 <phrase revision="systemd">systemd timer. A timer is installed at 155 <filename>/usr/lib/systemd/system/update-pki.timer</filename> that, if 156 enabled, will check for updates weekly.</phrase><phrase 157 revision="sysv">If you've installed <xref linkend="fcron"/> and 158 completed the section on periodic jobs, execute</phrase><phrase 159 revision="systemd">Execute</phrase> the following commands, as the 160 <systemitem class="username">root</systemitem> user, to <phrase 161 revision="sysv">create a weekly cron job:</phrase><phrase 162 revision="systemd">enable the systemd timer:</phrase> 151 163 </para> 152 164 … … 165 177 <title>Configuring make-ca</title> 166 178 167 <para>For most users, no additional configuration is necessary, however, 168 the default <filename>certdata.txt</filename> file provided by make-ca 169 is obtained from the mozilla-release branch, and is modified to provide a 170 Mercurial revision. This will be the correct version for most systems. 171 There are several other variants of the file available for use that might 172 be preferred for one reason or another, including the files shipped with 173 Mozilla products in this book. RedHat and OpenSUSE, for instance, use the 174 version included in <xref linkend="nss"/>. Additional upstream downloads 175 are available at the links included in 176 <filename>/etc/make-ca.conf.dist</filename>. Simply copy the file to 177 <filename>/etc/make-ca.conf</filename> and edit as appropriate.</para> 179 <para> 180 For most users, no additional configuration is necessary, however, 181 the default <filename>certdata.txt</filename> file provided by make-ca 182 is obtained from the mozilla-release branch, and is modified to provide a 183 Mercurial revision. This will be the correct version for most systems. 184 There are several other variants of the file available for use that might 185 be preferred for one reason or another, including the files shipped with 186 Mozilla products in this book. RedHat and OpenSUSE, for instance, use the 187 version included in <xref linkend="nss"/>. Additional upstream downloads 188 are available at the links included in 189 <filename>/etc/make-ca.conf.dist</filename>. Simply copy the file to 190 <filename>/etc/make-ca.conf</filename> and edit as appropriate. 191 </para> 178 192 179 193 <indexterm zone="make-ca make-ca-config"> … … 183 197 <bridgehead renderas="sect3">About Trust Arguments</bridgehead> 184 198 185 <para>There are three trust types that are recognized by the 186 <application>make-ca</application> script, SSL/TLS, S/Mime, and code 187 signing. For <application>OpenSSL</application>, these are 188 <parameter>serverAuth</parameter>, <parameter>emailProtection</parameter>, 189 and <parameter>codeSigning</parameter> respectively. If one of the three 190 trust arguments is omitted, the certificate is neither trusted, nor 191 rejected for that role. Clients that use <application>OpenSSL</application> 192 or <application>NSS</application> encountering this certificate will 193 present a warning to the user. Clients using 194 <application>GnuTLS</application> without 195 <application>p11-kit</application> support are not aware of trusted 196 certificates. To include this CA into the 197 <filename>ca-bundle.crt</filename>, 198 <filename>email-ca-bundle.crt</filename>, or 199 <filename>objsign-ca-bundle.crt</filename> files 200 (the <application>GnuTLS</application> legacy bundles), it must have the 201 appropriate trust arguments.</para> 199 <para> 200 There are three trust types that are recognized by the 201 <application>make-ca</application> script, SSL/TLS, S/Mime, and code 202 signing. For <application>OpenSSL</application>, these are 203 <parameter>serverAuth</parameter>, 204 <parameter>emailProtection</parameter>, and 205 <parameter>codeSigning</parameter> respectively. If one of the three 206 trust arguments is omitted, the certificate is neither trusted, nor 207 rejected for that role. Clients that use 208 <application>OpenSSL</application> or <application>NSS</application> 209 encountering this certificate will present a warning to the user. 210 Clients using 211 <application>GnuTLS</application> without 212 <application>p11-kit</application> support are not aware of trusted 213 certificates. To include this CA into the 214 <filename>ca-bundle.crt</filename>, 215 <filename>email-ca-bundle.crt</filename>, or 216 <filename>objsign-ca-bundle.crt</filename> files 217 (the <application>GnuTLS</application> legacy bundles), it must have the 218 appropriate trust arguments. 219 </para> 202 220 203 221 <bridgehead renderas="sect3">Adding Additional CA Certificates</bridgehead> 204 222 205 <para>The <filename class="directory">/etc/ssl/local</filename> directory 206 is available to add additional CA certificates to the system. For instance, 207 you might need to add an organization or government CA certificate. 208 Files in this directory must be in the <application>OpenSSL</application> 209 trusted certificate format. To create an <application>OpenSSL</application> 210 trusted certificate from a regular PEM encoded file, you need to add trust 211 arguments to the <command>openssl</command> command, and create a new 212 certificate. For example, using the 213 <ulink url="http://www.cacert.org/">CAcert</ulink> roots, if you want to 214 trust both for all three roles, the following commands will create 215 appropriate OpenSSL trusted certificates (run as the 216 <systemitem class="username">root</systemitem> user after 217 <xref linkend="wget"/> is installed):</para> 223 <para> 224 The <filename class="directory">/etc/ssl/local</filename> directory 225 is available to add additional CA certificates to the system. For 226 instance, you might need to add an organization or government CA 227 certificate. Files in this directory must be in the 228 <application>OpenSSL</application> trusted certificate format. To 229 create an <application>OpenSSL</application> trusted certificate from 230 a regular PEM encoded file, you need to add trust arguments to the 231 <command>openssl</command> command, and create a new certificate. For 232 example, using the <ulink url="http://www.cacert.org/">CAcert</ulink> 233 roots, if you want to trust both for all three roles, the following 234 commands will create appropriate OpenSSL trusted certificates (run as 235 the <systemitem class="username">root</systemitem> user after <xref 236 linkend="wget"/> is installed): 237 </para> 218 238 219 239 <screen role="nodump"><userinput>wget http://www.cacert.org/certs/root.crt && … … 229 249 <bridgehead renderas="sect3">Overriding Mozilla Trust</bridgehead> 230 250 231 <para>Occasionally, there may be instances where you don't agree with 232 Mozilla's inclusion of a particular certificate authority. If you'd like 233 to override the default trust of a particular CA, simply create a copy of 234 the existing certificate in 235 <filename class="directory">/etc/ssl/local</filename> with different trust 236 arguments. For example, if you'd like to distrust the "Makebelieve_CA_Root" 237 file, run the following commands:</para> 251 <para> 252 Occasionally, there may be instances where you don't agree with 253 Mozilla's inclusion of a particular certificate authority. If you'd like 254 to override the default trust of a particular CA, simply create a copy of 255 the existing certificate in <filename 256 class="directory">/etc/ssl/local</filename> with different trust 257 arguments. For example, if you'd like to distrust the 258 "Makebelieve_CA_Root" file, run the following commands: 259 </para> 238 260 239 261 <screen role="nodump"><userinput>openssl x509 -in /etc/ssl/certs/Makebelieve_CA_Root.pem \ … … 271 293 <term><command>make-ca</command></term> 272 294 <listitem> 273 <para>is a shell script that adapts a current version of 274 <filename>certdata.txt</filename>, and prepares it for use 275 as the system trust store.</para> 295 <para> 296 is a shell script that adapts a current version of 297 <filename>certdata.txt</filename>, and prepares it for use 298 as the system trust store. 299 </para> 276 300 <indexterm zone="make-ca make-ca"> 277 301 <primary sortas="b-make-ca">make-ca</primary>
Note:
See TracChangeset
for help on using the changeset viewer.