Changeset 4a16903
- Timestamp:
- 11/18/2016 07:13:46 AM (7 years ago)
- Branches:
- 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal
- Children:
- 539dd69d
- Parents:
- 1c929a6d
- Files:
-
- 7 edited
Legend:
- Unmodified
- Added
- Removed
-
general/prog/openjdk.xml
r1c929a6d r4a16903 555 555 <filename>/etc/ssl/java/cacerts</filename>. That file should be 556 556 generated using the system PKI trust store. The instructions 557 on the <xref linkend="cacerts"/> page will be used to do the update558 by calling the following script. Installthe559 <command>mkcacerts</command> script and setup a symlink in the java560 as the <systemitem class="username">root</systemitem>user:557 on the <xref linkend="cacerts"/> page should be used to update the file 558 located in <filename>/etc/ssl/java</filename>. Setup a symlink in the 559 defualt location as the <systemitem class="username">root</systemitem> 560 user: 561 561 </para> 562 562 563 <screen role="root"><userinput>cat > /opt/jdk/bin/mkcacerts << "EOF" && 564 <literal>#!/bin/sh 565 # Simple script to extract x509 certificates and create a JRE cacerts file. 566 567 function get_args() 568 { 569 if test -z "${1}" ; then 570 showhelp 571 exit 1 572 fi 573 574 while test -n "${1}" ; do 575 case "${1}" in 576 -f | --cafile) 577 check_arg $1 $2 578 CAFILE="${2}" 579 shift 2 580 ;; 581 -d | --cadir) 582 check_arg $1 $2 583 CADIR="${2}" 584 shift 2 585 ;; 586 -o | --outfile) 587 check_arg $1 $2 588 OUTFILE="${2}" 589 shift 2 590 ;; 591 -k | --keytool) 592 check_arg $1 $2 593 KEYTOOL="${2}" 594 shift 2 595 ;; 596 -s | --openssl) 597 check_arg $1 $2 598 OPENSSL="${2}" 599 shift 2 600 ;; 601 -h | --help) 602 showhelp 603 exit 0 604 ;; 605 *) 606 showhelp 607 exit 1 608 ;; 609 esac 610 done 611 } 612 613 function check_arg() 614 { 615 echo "${2}" | grep -v "^-" > /dev/null 616 if [ -z "$?" -o ! -n "$2" ]; then 617 echo "Error: $1 requires a valid argument." 618 exit 1 619 fi 620 } 621 622 # The date binary is not reliable on 32bit systems for dates after 2038 623 function mydate() 624 { 625 local y=$( echo $1 | cut -d" " -f4 ) 626 local M=$( echo $1 | cut -d" " -f1 ) 627 local d=$( echo $1 | cut -d" " -f2 ) 628 local m 629 630 if [ ${d} -lt 10 ]; then d="0${d}"; fi 631 632 case $M in 633 Jan) m="01";; 634 Feb) m="02";; 635 Mar) m="03";; 636 Apr) m="04";; 637 May) m="05";; 638 Jun) m="06";; 639 Jul) m="07";; 640 Aug) m="08";; 641 Sep) m="09";; 642 Oct) m="10";; 643 Nov) m="11";; 644 Dec) m="12";; 645 esac 646 647 certdate="${y}${m}${d}" 648 } 649 650 function showhelp() 651 { 652 echo "`basename ${0}` creates a valid cacerts file for use with IcedTea." 653 echo "" 654 echo " -f --cafile The path to a file containing PEM" 655 echo " formated CA certificates. May not be" 656 echo " used with -d/--cadir." 657 echo "" 658 echo " -d --cadir The path to a directory of PEM formatted" 659 echo " CA certificates. May not be used with" 660 echo " -f/--cafile." 661 echo "" 662 echo " -o --outfile The path to the output file." 663 echo "" 664 echo " -k --keytool The path to the java keytool utility." 665 echo "" 666 echo " -s --openssl The path to the openssl utility." 667 echo "" 668 echo " -h --help Show this help message and exit." 669 echo "" 670 echo "" 671 } 672 673 # Initialize empty variables so that the shell does not pollute the script 674 CAFILE="" 675 CADIR="" 676 OUTFILE="" 677 OPENSSL="" 678 KEYTOOL="" 679 certdate="" 680 date="" 681 today=$( date +%Y%m%d ) 682 683 # Process command line arguments 684 get_args ${@} 685 686 # Handle common errors 687 if test "${CAFILE}x" == "x" -a "${CADIR}x" == "x" ; then 688 echo "ERROR! You must provide an x509 certificate store!" 689 echo "\'$(basename ${0}) --help\' for more info." 690 echo "" 691 exit 1 692 fi 693 694 if test "${CAFILE}x" != "x" -a "${CADIR}x" != "x" ; then 695 echo "ERROR! You cannot provide two x509 certificate stores!" 696 echo "\'$(basename ${0}) --help\' for more info." 697 echo "" 698 exit 1 699 fi 700 701 if test "${KEYTOOL}x" == "x" ; then 702 echo "ERROR! You must provide a valid keytool program!" 703 echo "\'$(basename ${0}) --help\' for more info." 704 echo "" 705 exit 1 706 fi 707 708 if test "${OPENSSL}x" == "x" ; then 709 echo "ERROR! You must provide a valid path to openssl!" 710 echo "\'$(basename ${0}) --help\' for more info." 711 echo "" 712 exit 1 713 fi 714 715 if test "${OUTFILE}x" == "x" ; then 716 echo "ERROR! You must provide a valid output file!" 717 echo "\'$(basename ${0}) --help\' for more info." 718 echo "" 719 exit 1 720 fi 721 722 # Get on with the work 723 724 # If using a CAFILE, split it into individual files in a temp directory 725 if test "${CAFILE}x" != "x" ; then 726 TEMPDIR=`mktemp -d` 727 CADIR="${TEMPDIR}" 728 729 # Get a list of staring lines for each cert 730 CERTLIST=`grep -n "^-----BEGIN" "${CAFILE}" | cut -d ":" -f 1` 731 732 # Get a list of ending lines for each cert 733 ENDCERTLIST=`grep -n "^-----END" "${CAFILE}" | cut -d ":" -f 1` 734 735 # Start a loop 736 for certbegin in `echo "${CERTLIST}"` ; do 737 for certend in `echo "${ENDCERTLIST}"` ; do 738 if test "${certend}" -gt "${certbegin}"; then 739 break 740 fi 741 done 742 sed -n "${certbegin},${certend}p" "${CAFILE}" > "${CADIR}/${certbegin}.pem" 743 keyhash=`${OPENSSL} x509 -noout -in "${CADIR}/${certbegin}.pem" -hash` 744 echo "Generated PEM file with hash: ${keyhash}." 745 done 746 fi 747 748 # Write the output file 749 for cert in `find "${CADIR}" -type f -name "*.pem" -o -name "*.crt"` 750 do 751 752 # Make sure the certificate date is valid... 753 date=$( ${OPENSSL} x509 -enddate -in "${cert}" -noout | sed 's/^notAfter=//' ) 754 mydate "${date}" 755 if test "${certdate}" -lt "${today}" ; then 756 echo "${cert} expired on ${certdate}! Skipping..." 757 unset date certdate 758 continue 759 fi 760 unset date certdate 761 ls "${cert}" 762 tempfile=`mktemp` 763 certbegin=`grep -n "^-----BEGIN" "${cert}" | cut -d ":" -f 1` 764 certend=`grep -n "^-----END" "${cert}" | cut -d ":" -f 1` 765 sed -n "${certbegin},${certend}p" "${cert}" > "${tempfile}" 766 echo yes | env LC_ALL=C "${KEYTOOL}" -import \ 767 -alias `basename "${cert}"` \ 768 -keystore "${OUTFILE}" \ 769 -storepass 'changeit' \ 770 -file "${tempfile}" 771 rm "${tempfile}" 772 done 773 774 if test "${TEMPDIR}x" != "x" ; then 775 rm -rf "${TEMPDIR}" 776 fi 777 exit 0</literal> 778 EOF 779 780 chmod -c 0755 /opt/jdk/bin/mkcacerts && 781 ln -sfv /etc/ssl/java/cacerts /opt/jdk/jre/lib/security/cacerts</userinput></screen> 782 783 <note> 784 <para> 785 Doing a very large copy/paste directly to a terminal may result in a 786 corrupted file. Copying to an editor may overcome this issue. 787 </para> 788 </note> 789 790 <para> 791 Generate the <application>OpenJDK</application> <filename>cacerts</filename> 792 file as the <systemitem class="username">root</systemitem> user: 793 </para> 794 795 <screen role="root"><userinput>if [ -f /etc/ssl/java/cacerts ]; then 796 mv /etc/ssl/java/cacerts \ 797 /etc/ssl/java/cacerts.bak 798 fi && 799 /opt/jdk/bin/mkcacerts \ 800 -d "/etc/ssl/certs/" \ 801 -k "/opt/jdk/bin/keytool" \ 802 -s "/usr/bin/openssl" \ 803 -o "/etc/ssl/java/cacerts"</userinput></screen> 563 <screen role="root"><userinput>ln -sfv /etc/ssl/java/cacerts /opt/jdk/jre/lib/security/cacerts</userinput></screen> 804 564 805 565 <para>Use the following commands to check if the … … 809 569 bin/keytool -list -keystore /etc/ssl/java/cacerts</userinput></screen> 810 570 811 <para>At the prompt "Enter keystore password:", press the "Enter" key if 812 there is no keystore password defined. If the <filename>cacerts</filename> 813 file was installed correctly, you will see a list of the certificates with 814 related information for each one. If not, you need to reinstall 815 them.</para> 571 <para>At the prompt "Enter keystore password:", enter "changeit" (the 572 default). If the <filename>cacerts</filename> file was installed 573 correctly, you will see a list of the certificates with related 574 information for each one. If not, you need to reinstall them.</para> 816 575 817 576 </sect3> … … 831 590 jarsigner, java, javac, javadoc, javah, javap, java-rmi.cgi, 832 591 jcmd, jconsole, jdb, jdeps, jhat, jinfo, jjs, jmap, jps, 833 jrunscript, jsadebugd, jstack, jstat, jstatd, keytool, mkcacerts,592 jrunscript, jsadebugd, jstack, jstat, jstatd, keytool, 834 593 native2ascii, orbd, pack200, policytool, rmic, rmid, rmiregistry, 835 594 schemagen, serialver, servertool, tnameserv, unpack200, … … 1128 887 </varlistentry> 1129 888 1130 <varlistentry id="mkcacerts">1131 <term><command>mkcacerts</command></term>1132 <listitem>1133 <para> is a simple script to extract x509 certificates and create1134 a JRE cacerts file using <command>keytool</command>.</para>1135 <indexterm zone="openjdk mkcacerts">1136 <primary sortas="b-mkcacerts">mkcacerts</primary>1137 </indexterm>1138 </listitem>1139 </varlistentry>1140 1141 889 <varlistentry id="native2ascii"> 1142 890 <term><command>native2ascii</command></term> -
introduction/welcome/changelog.xml
r1c929a6d r4a16903 50 50 <ulink url="&blfs-ticket-root;8515">#8515</ulink>.</para> 51 51 </listitem> 52 <listitem> 53 <para>[dj] - Introduce complete PKI seutp for CA Certificates page. 54 Fixes <ulink url="&blfs-ticket-root;8507">#8507</ulink>.</para> 55 </listitem> 52 56 </itemizedlist> 53 57 </listitem> -
networking/netprogs/wget.xml
r1c929a6d r4a16903 167 167 </para> 168 168 169 <screen role="root"><userinput>echo c a-directory=/etc/ssl/certs>> /etc/wgetrc</userinput></screen>169 <screen role="root"><userinput>echo certificate=/etc/ssl/ca-bundle.crt >> /etc/wgetrc</userinput></screen> 170 170 171 171 </sect3> -
packages.ent
r1c929a6d r4a16903 296 296 <!ENTITY mercurial-version "3.9.2"> 297 297 <!ENTITY nasm-version "2.12.02"> 298 <!ENTITY ninja-version "1.7. 2">298 <!ENTITY ninja-version "1.7.1"> 299 299 <!ENTITY npapi-sdk-version "0.27.2"> 300 300 <!ENTITY php-version "7.0.12"> -
postlfs/security/cacerts.xml
r1c929a6d r4a16903 5 5 %general-entities; 6 6 7 <!ENTITY certhost "https://hg.mozilla.org/"> 8 <!ENTITY certpath "/lib/ckfw/builtins/certdata.txt"> 9 <!ENTITY ca-bundle-download "&sources-anduin-http;/other/certdata.txt"> 10 <!ENTITY ca-bundle-size "1.6 MB"> 11 <!ENTITY cacerts-buildsize "4.7 MB (with all runtime deps)"> 12 <!ENTITY cacerts-time "0.2 SBU (with all runtime deps)"> 13 7 14 <!ENTITY make-ca-download "&sources-anduin-http;/other/make-ca.sh"> 8 <!ENTITY make-ca-size "4.1 KB"> 9 <!ENTITY make-ca-md5sum "487ca7ce6f7b81b3e46362138f93310c"> 10 <!ENTITY cacerts-buildsize "1.4 MB"> 11 <!ENTITY cacerts-time "0.1 SBU"> 15 <!ENTITY make-ca-size "11 KB"> 16 <!ENTITY make-ca-md5sum "fbc5687ce7fd5533edbb4e616a1080de"> 12 17 ]> 13 18 … … 22 27 <title>Certificate Authority Certificates</title> 23 28 24 <para>The Public Key Infrastructure is used for many security features in a 25 Linux system. In order for a certificate to be trusted, it must be signed by 26 a trusted agent called a Certificate Authority (CA). The certificates 27 installed in this section are obtained from the Mozilla version control 28 system, and reformatted for use by <xref linkend='openssl'/> and 29 <xref linkend='gnutls'/>. The certificates can also be used by other 30 applications, either directly or indirectly by linking to one of these 31 packages.</para> 29 <para>Public Key Infrastructure (PKI) is a method to validate the 30 authenticity of an othewise unknown entity across untrusted networks. PKI 31 works by establishing a chain of trust, rather than trusting each individual 32 host or entity explicitly. In order for a certificate presented by a remote 33 entity to be trusted, that certificate must pesent a complete chain of 34 certificates that can be validated using the root certificate of a 35 Certificate Authority (CA) that is trusted by the local machine.</para> 36 37 <para>Establishing trust with a CA involves validating things like company 38 address, ownership, contact information, etc., and ensuring that the CA has 39 followed best practices, such as udergoing periodic security audits by 40 independent investegators and maintaining an always avaialable certificate 41 revocation list. This is well outside the scope of BLFS (as it is for most 42 Linux distributions). The certificate store provided here is taken from the 43 Mozilla Foundation, who have established very strict inclusion policies 44 described 45 <ulink url="https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/">here</ulink>.</para> 32 46 33 47 &lfs7a_checked; … … 59 73 </itemizedlist> 60 74 75 76 <bridgehead renderas="sect3">Additional Downloads</bridgehead> 77 <itemizedlist spacing="compact"> 78 <listitem> 79 <para> 80 CA Certificates 81 <ulink url="&ca-bundle-download;"/> 82 </para> 83 </listitem> 84 </itemizedlist> 85 61 86 <bridgehead renderas="sect3">Certificate Authority Certificates Dependencies</bridgehead> 62 87 63 88 <bridgehead renderas="sect4">Required</bridgehead> 64 <para role="required"><xref linkend="openssl"/> and 65 <xref linkend="curl"/></para> 89 <para role="required"><xref linkend="openssl"/></para> 90 91 <bridgehead renderas="sect4">Optional (runtime)</bridgehead> 92 <para role="optional"> 93 <xref linkend="java"/> or <xref linkend="openjdk"/>, and 94 <xref linkend="nss"/></para> 66 95 67 96 <para condition="html" role="usernotes">User Notes: … … 72 101 <title>Installation of Certificate Authority Certificates</title> 73 102 74 <para>The <application>make-ca.sh</application> script will download a set 75 of certificates from one of five projects (aurora, beta, central, nss, or 76 release) in the Mozialla version control system. It defaults to the release 77 branch, which is identical to the version that ships with the Mozilla 78 products in this book. If you'd like to change the branch that is retrieved, 79 edit the file and set <envar>CERTSOURCE</envar> to one of the five values 80 above.</para> 81 82 <para>Additionally, any local certificates stored in 83 <filename>/etc/ssl/local</filename> will be copied into both the single-file 84 <filename>/etc/ssl/ca-bundle.crt</filename> (used by programs that link to 85 <application>gnutls</application>), and into the certificate store directory 86 <filename>/etc/ssl/certs</filename> (used by programs that link to 87 <application>OpenSSL</application>). All certificates will pass a date and 88 trust validation, and any existing certificates in 89 <filename>/etc/ssl/ca-bundle.crt</filename> or 90 <filename>/etc/ssl/certs</filename> will be removed upon successful 91 completion of this script.</para> 92 93 <para>Finally, if you've installed <xref linkend="java"/> or <xref 94 linkend="openjdk"/>, then it will also update the java cacerts file at 95 <filename>/etc/ssl/java/cacerts</filename>.</para> 96 97 <para>First install the above script into the correct location. As the 98 <systemitem class="username">root</systemitem> user:</para> 99 100 <screen role="root"><userinput>install -vm750 make-ca.sh /usr/sbin</userinput></screen> 101 102 <para>As the <systemitem class="username">root</systemitem> user, create the 103 needed directories, and update the certificate store:</para> 104 105 <screen role="root"><userinput>install -vdm755 /etc/ssl/{certs,java,local} && 106 /usr/sbin/make-ca.sh 107 </userinput></screen> 108 109 <para>You should periodically run the <application>make-ca.sh</application> 110 script (as the <systemitem class="username">root</systemitem> user), or as 111 part of a monthly <application>cron</application> job to ensure that you 112 have the latest available version of the certificates.</para> 103 <para>The <application>make-ca.sh</application> script will adapt the 104 certificates included in the <filename>certdata.txt</filename> file 105 for use in multiple certificate stores (if the associated applications are 106 present on the system). Additionally, any local certificates stored in 107 <filename>/etc/ssl/local</filename> will be imported to the ceritificate 108 stores. Certificates in this directory should be stored as PEM encoded 109 <application>OpenSSL</application> trusted certificates.</para> 110 111 <para>To create an <application>OpenSSL</application> trusted certificate 112 from a regular PEM encoded file, provided by a CA not included in Mozilla's 113 certificate distribution, you need to add trust arguments to the 114 <command>openssl</command> command, and create a new certificate. There are 115 three trust types that are recognised by the 116 <application>make-ca.sh</application> script, SSL/TLS, S/Mime, and code 117 signing. For example, to allow a certificate to be trusted for both 118 SSL/TLS and S/Mime, but explicitly rejected for code signing, you could use 119 the following commands to create a new trusted ceritificate that has those 120 trust attributes:</para> 121 122 <screen><literal>openssl x509 -in MyRootCA.pem -text -fingerprint -setalias "My Root CA 1" \ 123 -addtrust serverAuth -addtrust emailProtection -addreject codeSigning \ 124 > MyRootCA-trusted.pem</literal></screen> 125 126 <para>If a trust argument is omitted, the certificate is neither trusted, 127 nor rejected. Clients that use <application>OpenSSL</application> or 128 <application>NSS</application> encountering this certificate will present 129 a warning to the user. Clients using <application>GnuTLS</application> 130 without <application>p11-kit</application> support are not aware of trusted 131 certificates. To include this CA into the ca-bundle.crt (used for 132 <application>GnuTLS</application>), it must, at very least, have the 133 serverAuth trust.</para> 134 135 <para>To install the various certificate stores, first install the 136 <application>make-ca.sh</application> script into the correct location. 137 As the <systemitem class="username">root</systemitem> user:</para> 138 139 <screen role="root"><userinput>install -vm755 make-ca.sh /usr/sbin</userinput></screen> 140 141 <para>As the <systemitem class="username">root</systemitem> user, make sure 142 that certdata.txt is in the current direcotry, and update the certificate 143 stores with the following command:</para> 144 145 <screen role="root"><userinput>/usr/sbin/make-ca.sh</userinput></screen> 146 147 <para>You should periodically download a copy of 148 <filename>certdata.txt</filename> and run the 149 <application>make-ca.sh</application> script (as the 150 <systemitem class="username">root</systemitem> user), or as part of a 151 monthly <application>cron</application> job to ensure that you have the 152 latest available version of the certificates.</para> 153 154 <para>The <filename>certdata.txt</filename> file provided by BLFS is 155 obtained from the mozilla-release branch, and is modified to provide a 156 simple dated revision. This will be the correct verision for most 157 systems. There are, however, several other variants of the file available 158 for use that might be preferred for one reason or another, including all 159 Mozilla products in this book. RedHat and OpenSUSE, for instace, use the 160 version included in <xref linkend="nss"/>. Additional download locations 161 are available at:</para> 162 163 <itemizedlist spacing="compact"> 164 <listitem> 165 <para>Mozilla Release (the version provided by BLFS): 166 <ulink url="&certhost;releases/mozilla-release/raw-file/default/security/nss&certpath;"/> 167 </para> 168 </listitem> 169 <listitem> 170 <para>NSS (this is the latest availalbe version): 171 <ulink url="&certhost;projects/nss/raw-file/tip/lib&certpath;"/> 172 </para> 173 </listitem> 174 <listitem> 175 <para>Mozilla Central: 176 <ulink url="&certhost;mozilla-central/raw-file/default/security/nss&certpath;"/> 177 </para> 178 </listitem> 179 <listitem> 180 <para>Mozilla Beta: 181 <ulink url="&certhost;releases/mozilla-beta/raw-file/default/security/nss&certpath;"/> 182 </para> 183 </listitem> 184 <listitem> 185 <para>Mozilla Aurora: 186 <ulink url="&certhost;releases/mozilla-aurora/raw-file/default/security/nss&certpath;"/> 187 </para> 188 </listitem> 189 </itemizedlist> 113 190 114 191 </sect2> … … 125 202 <seg>make-ca.sh</seg> 126 203 <seg>None</seg> 127 <seg>/etc/ssl/{certs,java,local} </seg>204 <seg>/etc/ssl/{certs,java,local} and /etc/pki/{nssdb,anchors}</seg> 128 205 </seglistitem> 129 206 </segmentedlist> … … 137 214 <term><command>make-ca.sh</command></term> 138 215 <listitem> 139 <para>is a shell script that downloads a current version of216 <para>is a shell script that adapts a current version of 140 217 <filename>certdata.txt</filename>, and prepares it for use 141 218 as the system certificate store.</para> -
postlfs/security/nss.xml
r1c929a6d r4a16903 104 104 <bridgehead renderas="sect4">Recommended</bridgehead> 105 105 <para role="recommended"> 106 <xref linkend="sqlite"/> 106 <xref linkend="sqlite"/> and <xref linkend="p11-kit"/> (runtime) 107 107 </para> 108 108 … … 204 204 the system version of sqlite. 205 205 </para> 206 207 </sect2> 208 209 <sect2 role="configuration"> 210 <title>Configuring NSS</title> 211 212 <para>If <xref linkend="p11-kit"/> is installed, 213 <filename>/usr/lib/libp11-kit.so</filename> can be used as a drop-in 214 replacement for <filename>/usr/lib/libnssckbi.so</filename> to 215 transparently make the system CAs available to 216 <application>NSS</application> aware applications, rather than the static 217 list provided by <filename>/usr/lib/libnssckbi.so</filename>. As the 218 <systemitem class="username">root</systemitem> user, execute the following 219 commands:</para> 220 221 <screen role="root"><userinput>readlink /usr/lib/libnssckbi.so || \ 222 mv -v /usr/lib/libnssckbi.so /usr/lib/libnssckbi.so.orig && 223 ln -sfv libp11-kit.so /usr/lib/libnssckbi.so</userinput></screen> 224 225 <para>Additionally, for dependent applicaions that do not use the internal 226 database (<filename>/usr/lib/libnssckbi.so</filename>), the 227 <filename>make-ca.sh</filename> script, incldued on the 228 <xref linkend="cacerts"/> page, will gernerate a system wide NSS DB.</para> 206 229 207 230 </sect2> -
postlfs/security/p11-kit.xml
r1c929a6d r4a16903 100 100 </para> 101 101 102 <screen><userinput>./configure --prefix=/usr --sysconfdir=/etc && 102 <screen><userinput>./configure --prefix=/usr \ 103 --sysconfdir=/etc \ 104 --with-trust-paths=/etc/pki/anchors && 103 105 make</userinput></screen> 104 106 … … 117 119 <sect2 role="commands"> 118 120 <title>Command Explanations</title> 121 122 <para> 123 <parameter>--with-trust-paths=/etc/pki/anchors</parameter>: this switch 124 sets the location of trusted certificates used by libp11-kit.so. 125 </para> 119 126 120 127 <para> … … 129 136 rebuild the documentation and generate manual pages. 130 137 </para> 138 139 </sect2> 140 141 <sect2 role="configuration"> 142 <title>Configuring p11-kit</title> 143 144 <para>If <xref linkend="nss"/> is installed, 145 <filename>/usr/lib/libp11-kit.so</filename> can be used as a drop-in 146 replacement for <filename>/usr/lib/libnssckbi.so</filename> to 147 transparently make the system CAs available to 148 <application>NSS</application> aware applications, rather than the static 149 list provided by <filename>/usr/lib/libnssckbi.so</filename>. As the 150 <systemitem class="username">root</systemitem> user, execute the following 151 commands:</para> 152 153 <screen role="root"><userinput>readlink /usr/lib/libnssckbi.so || \ 154 mv -v /usr/lib/libnssckbi.so /usr/lib/libnssckbi.so.orig && 155 ln -sfv libp11-kit.so /usr/lib/libnssckbi.so</userinput></screen> 131 156 132 157 </sect2>
Note:
See TracChangeset
for help on using the changeset viewer.