Changeset 4a16903

Timestamp:

11/18/2016 07:13:46 AM (7 years ago)

Author:

DJ Lucas <dj@…>

Branches:

10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal

Children:

539dd69d

Parents:

1c929a6d

Message:

Introduce complete PKI seutp for CA Certificates page. Fixes #8507.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@17975 af4574ff-66df-0310-9fd7-8a98e5e911e0

Files:

• general/prog/openjdk.xml (modified) (4 diffs)
• introduction/welcome/changelog.xml (modified) (1 diff)
• networking/netprogs/wget.xml (modified) (1 diff)
• packages.ent (modified) (1 diff)
• postlfs/security/cacerts.xml (modified) (6 diffs)
• postlfs/security/nss.xml (modified) (2 diffs)
• postlfs/security/p11-kit.xml (modified) (3 diffs)

general/prog/openjdk.xml

@@ -555 +555 @@
         <filename>/etc/ssl/java/cacerts</filename>. That file should be
         generated using the system PKI trust store. The instructions
-        on the <xref linkend="cacerts"/> page will be used to do the update
-        by calling the following script. Install the
-        <command>mkcacerts</command> script and setup a symlink in the java
-        as the <systemitem class="username">root</systemitem> user:
+        on the <xref linkend="cacerts"/> page should be used to update the file
+        located in <filename>/etc/ssl/java</filename>. Setup a symlink in the
+        defualt location as the <systemitem class="username">root</systemitem>
+        user:
       </para>
 
-<screen role="root"><userinput>cat &gt; /opt/jdk/bin/mkcacerts &lt;&lt; "EOF" &amp;&amp;
-<literal>#!/bin/sh
-# Simple script to extract x509 certificates and create a JRE cacerts file.
-
-function get_args()
-    {
-        if test -z "${1}" ; then
-            showhelp
-            exit 1
-        fi
-
-        while test -n "${1}" ; do
-            case "${1}" in
-                -f | --cafile)
-                    check_arg $1 $2
-                    CAFILE="${2}"
-                    shift 2
-                    ;;
-                -d | --cadir)
-                    check_arg $1 $2
-                    CADIR="${2}"
-                    shift 2
-                    ;;
-                -o | --outfile)
-                    check_arg $1 $2
-                    OUTFILE="${2}"
-                    shift 2
-                    ;;
-                -k | --keytool)
-                    check_arg $1 $2
-                    KEYTOOL="${2}"
-                    shift 2
-                    ;;
-                -s | --openssl)
-                    check_arg $1 $2
-                    OPENSSL="${2}"
-                    shift 2
-                    ;;
-                -h | --help)
-                    showhelp
-                    exit 0
-                    ;;
-                *)
-                    showhelp
-                    exit 1
-                    ;;
-            esac
-        done
-    }
-
-function check_arg()
-    {
-        echo "${2}" | grep -v "^-" > /dev/null
-        if [ -z "$?" -o ! -n "$2" ]; then
-            echo "Error:  $1 requires a valid argument."
-            exit 1
-        fi
-    }
-
-# The date binary is not reliable on 32bit systems for dates after 2038
-function mydate()
-    {
-        local y=$( echo $1 | cut -d" " -f4 )
-        local M=$( echo $1 | cut -d" " -f1 )
-        local d=$( echo $1 | cut -d" " -f2 )
-        local m
-
-        if [ ${d} -lt 10 ]; then d="0${d}"; fi
-
-        case $M in
-            Jan) m="01";;
-            Feb) m="02";;
-            Mar) m="03";;
-            Apr) m="04";;
-            May) m="05";;
-            Jun) m="06";;
-            Jul) m="07";;
-            Aug) m="08";;
-            Sep) m="09";;
-            Oct) m="10";;
-            Nov) m="11";;
-            Dec) m="12";;
-        esac
-
-        certdate="${y}${m}${d}"
-    }
-
-function showhelp()
-    {
-        echo "`basename ${0}` creates a valid cacerts file for use with IcedTea."
-        echo ""
-        echo "        -f  --cafile     The path to a file containing PEM"
-        echo "                         formated CA certificates. May not be"
-        echo "                         used with -d/--cadir."
-        echo ""
-        echo "        -d  --cadir      The path to a directory of PEM formatted"
-        echo "                         CA certificates. May not be used with"
-        echo "                         -f/--cafile."
-        echo ""
-        echo "        -o  --outfile    The path to the output file."
-        echo ""
-        echo "        -k  --keytool    The path to the java keytool utility."
-        echo ""
-        echo "        -s  --openssl    The path to the openssl utility."
-        echo ""
-        echo "        -h  --help       Show this help message and exit."
-        echo ""
-        echo ""
-    }
-
-# Initialize empty variables so that the shell does not pollute the script
-CAFILE=""
-CADIR=""
-OUTFILE=""
-OPENSSL=""
-KEYTOOL=""
-certdate=""
-date=""
-today=$( date +%Y%m%d )
-
-# Process command line arguments
-get_args ${@}
-
-# Handle common errors
-if test "${CAFILE}x" == "x" -a "${CADIR}x" == "x" ; then
-    echo "ERROR!  You must provide an x509 certificate store!"
-    echo "\'$(basename ${0}) --help\' for more info."
-    echo ""
-    exit 1
-fi
-
-if test "${CAFILE}x" != "x" -a "${CADIR}x" != "x" ; then
-    echo "ERROR!  You cannot provide two x509 certificate stores!"
-    echo "\'$(basename ${0}) --help\' for more info."
-    echo ""
-    exit 1
-fi
-
-if test "${KEYTOOL}x" == "x" ; then
-    echo "ERROR!  You must provide a valid keytool program!"
-    echo "\'$(basename ${0}) --help\' for more info."
-    echo ""
-    exit 1
-fi
-
-if test "${OPENSSL}x" == "x" ; then
-    echo "ERROR!  You must provide a valid path to openssl!"
-    echo "\'$(basename ${0}) --help\' for more info."
-    echo ""
-    exit 1
-fi
-
-if test "${OUTFILE}x" == "x" ; then
-    echo "ERROR!  You must provide a valid output file!"
-    echo "\'$(basename ${0}) --help\' for more info."
-    echo ""
-    exit 1
-fi
-
-# Get on with the work
-
-# If using a CAFILE, split it into individual files in a temp directory
-if test "${CAFILE}x" != "x" ; then
-    TEMPDIR=`mktemp -d`
-    CADIR="${TEMPDIR}"
-
-    # Get a list of staring lines for each cert
-    CERTLIST=`grep -n "^-----BEGIN" "${CAFILE}" | cut -d ":" -f 1`
-
-    # Get a list of ending lines for each cert
-    ENDCERTLIST=`grep -n "^-----END" "${CAFILE}" | cut -d ":" -f 1`
-
-    # Start a loop
-    for certbegin in `echo "${CERTLIST}"` ; do
-        for certend in `echo "${ENDCERTLIST}"` ; do
-            if test "${certend}" -gt "${certbegin}"; then
-                break
-            fi
-        done
-        sed -n "${certbegin},${certend}p" "${CAFILE}" > "${CADIR}/${certbegin}.pem"
-        keyhash=`${OPENSSL} x509 -noout -in "${CADIR}/${certbegin}.pem" -hash`
-        echo "Generated PEM file with hash:  ${keyhash}."
-    done
-fi
-
-# Write the output file
-for cert in `find "${CADIR}" -type f -name "*.pem" -o -name "*.crt"`
-do
-
-    # Make sure the certificate date is valid...
-    date=$( ${OPENSSL} x509 -enddate -in "${cert}" -noout | sed 's/^notAfter=//' )
-    mydate "${date}"
-    if test "${certdate}" -lt "${today}" ; then
-        echo "${cert} expired on ${certdate}! Skipping..."
-        unset date certdate
-        continue
-    fi
-    unset date certdate
-    ls "${cert}"
-    tempfile=`mktemp`
-    certbegin=`grep -n "^-----BEGIN" "${cert}" | cut -d ":" -f 1`
-    certend=`grep -n "^-----END" "${cert}" | cut -d ":" -f 1`
-    sed -n "${certbegin},${certend}p" "${cert}" > "${tempfile}"
-    echo yes | env LC_ALL=C "${KEYTOOL}" -import                     \
-                                         -alias `basename "${cert}"` \
-                                         -keystore "${OUTFILE}"      \
-                                         -storepass 'changeit'       \
-                                         -file "${tempfile}"
-    rm "${tempfile}"
-done
-
-if test "${TEMPDIR}x" != "x" ; then
-    rm -rf "${TEMPDIR}"
-fi
-exit 0</literal>
-EOF
-
-chmod -c 0755 /opt/jdk/bin/mkcacerts &amp;&amp;
-ln -sfv /etc/ssl/java/cacerts /opt/jdk/jre/lib/security/cacerts</userinput></screen>
-
-  <note>
-    <para>
-      Doing a very large copy/paste directly to a terminal may result in a
-      corrupted file.  Copying to an editor may overcome this issue.
-    </para>
-  </note>
-
-    <para>
-      Generate the <application>OpenJDK</application> <filename>cacerts</filename>
-      file as the <systemitem class="username">root</systemitem> user:
-    </para>
-
-<screen role="root"><userinput>if [ -f /etc/ssl/java/cacerts ]; then
-  mv /etc/ssl/java/cacerts \
-     /etc/ssl/java/cacerts.bak
-fi &amp;&amp;
-/opt/jdk/bin/mkcacerts                 \
-        -d "/etc/ssl/certs/"           \
-        -k "/opt/jdk/bin/keytool"      \
-        -s "/usr/bin/openssl"          \
-        -o "/etc/ssl/java/cacerts"</userinput></screen>
+<screen role="root"><userinput>ln -sfv /etc/ssl/java/cacerts /opt/jdk/jre/lib/security/cacerts</userinput></screen>
 
     <para>Use the following commands to check if the
@@ -809 +569 @@
 bin/keytool -list -keystore /etc/ssl/java/cacerts</userinput></screen>
 
-    <para>At the prompt "Enter keystore password:", press the "Enter" key if
-    there is no keystore password defined. If the <filename>cacerts</filename>
-    file was installed correctly, you will see a list of the certificates with
-    related information for each one. If not, you need to reinstall
-    them.</para>
+    <para>At the prompt "Enter keystore password:", enter "changeit" (the
+    default). If the <filename>cacerts</filename> file was installed
+    correctly, you will see a list of the certificates with related
+    information for each one. If not, you need to reinstall them.</para>
 
     </sect3>
@@ -831 +590 @@
         jarsigner, java, javac, javadoc, javah, javap, java-rmi.cgi,
         jcmd, jconsole, jdb, jdeps, jhat, jinfo, jjs, jmap, jps,
-        jrunscript, jsadebugd, jstack, jstat, jstatd, keytool, mkcacerts,
+        jrunscript, jsadebugd, jstack, jstat, jstatd, keytool,
         native2ascii, orbd, pack200, policytool, rmic, rmid, rmiregistry,
         schemagen, serialver, servertool, tnameserv, unpack200,
@@ -1128 +887 @@
       </varlistentry>
 
-      <varlistentry id="mkcacerts">
-        <term><command>mkcacerts</command></term>
-        <listitem>
-          <para> is a simple script to extract x509 certificates and create
-          a JRE cacerts file using <command>keytool</command>.</para>
-          <indexterm zone="openjdk mkcacerts">
-            <primary sortas="b-mkcacerts">mkcacerts</primary>
-          </indexterm>
-        </listitem>
-      </varlistentry>
-
       <varlistentry id="native2ascii">
         <term><command>native2ascii</command></term>

introduction/welcome/changelog.xml

@@ -50 +50 @@
           <ulink url="&blfs-ticket-root;8515">#8515</ulink>.</para>
         </listitem>
+        <listitem>
+          <para>[dj] - Introduce complete PKI seutp for CA Certificates page.
+          Fixes <ulink url="&blfs-ticket-root;8507">#8507</ulink>.</para>
+        </listitem>
       </itemizedlist>
     </listitem>

networking/netprogs/wget.xml

@@ -167 +167 @@
       </para>
 
-<screen role="root"><userinput>echo ca-directory=/etc/ssl/certs >> /etc/wgetrc</userinput></screen>
+<screen role="root"><userinput>echo certificate=/etc/ssl/ca-bundle.crt >> /etc/wgetrc</userinput></screen>
 
     </sect3>

packages.ent

@@ -296 +296 @@
 <!ENTITY mercurial-version            "3.9.2">
 <!ENTITY nasm-version                 "2.12.02">
-<!ENTITY ninja-version                "1.7.2">
+<!ENTITY ninja-version                "1.7.1">
 <!ENTITY npapi-sdk-version            "0.27.2">
 <!ENTITY php-version                  "7.0.12">

postlfs/security/cacerts.xml

@@ -5 +5 @@
   %general-entities;
 
+  <!ENTITY certhost              "https://hg.mozilla.org/">
+  <!ENTITY certpath              "/lib/ckfw/builtins/certdata.txt">
+  <!ENTITY ca-bundle-download    "&sources-anduin-http;/other/certdata.txt">
+  <!ENTITY ca-bundle-size        "1.6 MB">
+  <!ENTITY cacerts-buildsize     "4.7 MB (with all runtime deps)">
+  <!ENTITY cacerts-time          "0.2 SBU (with all runtime deps)">
+
   <!ENTITY make-ca-download      "&sources-anduin-http;/other/make-ca.sh">
-  <!ENTITY make-ca-size          "4.1 KB">
-  <!ENTITY make-ca-md5sum        "487ca7ce6f7b81b3e46362138f93310c">
-  <!ENTITY cacerts-buildsize     "1.4 MB">
-  <!ENTITY cacerts-time          "0.1 SBU">
+  <!ENTITY make-ca-size          "11 KB">
+  <!ENTITY make-ca-md5sum        "fbc5687ce7fd5533edbb4e616a1080de">
 ]>
 
@@ -22 +27 @@
   <title>Certificate Authority Certificates</title>
 
-  <para>The Public Key Infrastructure is used for many security features in a
-  Linux system.  In order for a certificate to be trusted, it must be signed by
-  a trusted agent called a Certificate Authority (CA). The certificates
-  installed in this section are obtained from the Mozilla version control
-  system, and reformatted for use by <xref linkend='openssl'/> and
-  <xref linkend='gnutls'/>. The certificates can also be used by other
-  applications, either directly or indirectly by linking to one of these
-  packages.</para>
+  <para>Public Key Infrastructure (PKI) is a method to validate the
+  authenticity of an othewise unknown entity across untrusted networks. PKI
+  works by establishing a chain of trust, rather than trusting each individual
+  host or entity explicitly. In order for a certificate presented by a remote
+  entity to be trusted, that certificate must pesent a complete chain of
+  certificates that can be validated using the root certificate of a
+  Certificate Authority (CA) that is trusted by the local machine.</para>
+  
+  <para>Establishing trust with a CA involves validating things like company
+  address, ownership, contact information, etc., and ensuring that the CA has
+  followed best practices, such as udergoing periodic security audits by
+  independent investegators and maintaining an always avaialable certificate
+  revocation list. This is well outside the scope of BLFS (as it is for most
+  Linux distributions). The certificate store provided here is taken from the
+  Mozilla Foundation, who have established very strict inclusion policies
+  described
+  <ulink url="https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/">here</ulink>.</para>
 
   &lfs7a_checked;
@@ -59 +73 @@
     </itemizedlist>
 
+
+    <bridgehead renderas="sect3">Additional Downloads</bridgehead>
+    <itemizedlist spacing="compact">
+      <listitem>
+        <para>
+          CA Certificates
+          <ulink url="&ca-bundle-download;"/>
+        </para>
+      </listitem>
+    </itemizedlist>
+
     <bridgehead renderas="sect3">Certificate Authority Certificates Dependencies</bridgehead>
 
     <bridgehead renderas="sect4">Required</bridgehead>
-    <para role="required"><xref linkend="openssl"/> and
-    <xref linkend="curl"/></para>
+    <para role="required"><xref linkend="openssl"/></para>
+
+   <bridgehead renderas="sect4">Optional (runtime)</bridgehead>
+    <para role="optional">
+    <xref linkend="java"/> or <xref linkend="openjdk"/>, and
+    <xref linkend="nss"/></para>
 
     <para condition="html" role="usernotes">User Notes:
@@ -72 +101 @@
     <title>Installation of Certificate Authority Certificates</title>
 
-   <para>The <application>make-ca.sh</application> script will download a set
-   of certificates from one of five projects (aurora, beta, central, nss, or
-   release) in the Mozialla version control system. It defaults to the release
-   branch, which is identical to the version that ships with the Mozilla
-   products in this book. If you'd like to change the branch that is retrieved,
-   edit the file and set <envar>CERTSOURCE</envar> to one of the five values
-   above.</para>
-
-   <para>Additionally, any local certificates stored in
-   <filename>/etc/ssl/local</filename> will be copied into both the single-file
-   <filename>/etc/ssl/ca-bundle.crt</filename> (used by programs that link to
-   <application>gnutls</application>), and into the certificate store directory
-   <filename>/etc/ssl/certs</filename> (used by programs that link to
-   <application>OpenSSL</application>). All certificates will pass a date and
-   trust validation, and any existing certificates in
-   <filename>/etc/ssl/ca-bundle.crt</filename> or
-   <filename>/etc/ssl/certs</filename> will be removed upon successful
-   completion of this script.</para>
-
-   <para>Finally, if you've installed <xref linkend="java"/> or <xref
-   linkend="openjdk"/>, then it will also update the java cacerts file at
-   <filename>/etc/ssl/java/cacerts</filename>.</para>
-
-    <para>First install the above script into the correct location. As the
-    <systemitem class="username">root</systemitem> user:</para>
-
-<screen role="root"><userinput>install -vm750 make-ca.sh /usr/sbin</userinput></screen>
-
-   <para>As the <systemitem class="username">root</systemitem> user, create the
-   needed directories, and update the certificate store:</para>
-
-<screen role="root"><userinput>install -vdm755 /etc/ssl/{certs,java,local} &amp;&amp;
-/usr/sbin/make-ca.sh
-</userinput></screen>
-
-    <para>You should periodically run the <application>make-ca.sh</application>
-    script (as the <systemitem class="username">root</systemitem> user), or as
-    part of a monthly <application>cron</application> job to ensure that you
-    have the latest available version of the certificates.</para>
+    <para>The <application>make-ca.sh</application> script will adapt the
+    certificates included in the <filename>certdata.txt</filename> file
+    for use in multiple certificate stores (if the associated applications are
+    present on the system). Additionally, any local certificates stored in
+    <filename>/etc/ssl/local</filename> will be imported to the ceritificate
+    stores. Certificates in this directory should be stored as PEM encoded
+    <application>OpenSSL</application> trusted certificates.</para>
+
+    <para>To create an <application>OpenSSL</application> trusted certificate
+    from a regular PEM encoded file, provided by a CA not included in Mozilla's
+    certificate distribution, you need to add trust arguments to the
+    <command>openssl</command> command, and create a new certificate. There are
+    three trust types that are recognised by the
+    <application>make-ca.sh</application> script, SSL/TLS, S/Mime, and code
+    signing. For example, to allow a certificate to be trusted for both
+    SSL/TLS and S/Mime, but explicitly rejected for code signing, you could use
+    the following commands to create a new trusted ceritificate that has those
+    trust attributes:</para>
+
+<screen><literal>openssl x509 -in MyRootCA.pem -text -fingerprint -setalias "My Root CA 1"     \
+        -addtrust serverAuth -addtrust emailProtection -addreject codeSigning \
+        > MyRootCA-trusted.pem</literal></screen>
+
+    <para>If a trust argument is omitted, the certificate is neither trusted,
+    nor rejected. Clients that use <application>OpenSSL</application> or
+    <application>NSS</application> encountering this certificate will present
+    a warning to the user. Clients using <application>GnuTLS</application>
+    without <application>p11-kit</application> support are not aware of trusted
+    certificates. To include this CA into the ca-bundle.crt (used for
+    <application>GnuTLS</application>), it must, at very least, have the
+    serverAuth trust.</para> 
+
+    <para>To install the various certificate stores, first install the
+    <application>make-ca.sh</application> script into the correct location.
+    As the <systemitem class="username">root</systemitem> user:</para>
+
+<screen role="root"><userinput>install -vm755 make-ca.sh /usr/sbin</userinput></screen>
+
+   <para>As the <systemitem class="username">root</systemitem> user, make sure
+   that certdata.txt is in the current direcotry, and update the certificate
+   stores with the following command:</para>
+
+<screen role="root"><userinput>/usr/sbin/make-ca.sh</userinput></screen>
+
+    <para>You should periodically download a copy of
+    <filename>certdata.txt</filename> and run the
+    <application>make-ca.sh</application> script (as the
+    <systemitem class="username">root</systemitem> user), or as part of a
+    monthly <application>cron</application> job to ensure that you have the
+    latest available version of the certificates.</para>
+
+    <para>The <filename>certdata.txt</filename> file provided by BLFS is
+    obtained from the mozilla-release branch, and is modified to provide a
+    simple dated revision. This will be the correct verision for most
+    systems. There are, however, several other variants of the file available
+    for use that might be preferred for one reason or another, including all
+    Mozilla products in this book. RedHat and OpenSUSE, for instace, use the
+    version included in <xref linkend="nss"/>. Additional download locations
+    are available at:</para>
+
+    <itemizedlist spacing="compact">
+      <listitem>
+        <para>Mozilla Release (the version provided by BLFS):
+        <ulink url="&certhost;releases/mozilla-release/raw-file/default/security/nss&certpath;"/>
+        </para>
+      </listitem>
+      <listitem>
+        <para>NSS (this is the latest availalbe version):
+        <ulink url="&certhost;projects/nss/raw-file/tip/lib&certpath;"/>
+        </para>
+      </listitem>
+      <listitem>
+        <para>Mozilla Central:
+        <ulink url="&certhost;mozilla-central/raw-file/default/security/nss&certpath;"/>
+        </para>
+      </listitem>
+      <listitem>
+        <para>Mozilla Beta:
+        <ulink url="&certhost;releases/mozilla-beta/raw-file/default/security/nss&certpath;"/>
+        </para>
+      </listitem>
+      <listitem>
+        <para>Mozilla Aurora:
+        <ulink url="&certhost;releases/mozilla-aurora/raw-file/default/security/nss&certpath;"/>
+        </para>
+      </listitem>
+    </itemizedlist>
 
   </sect2>
@@ -125 +202 @@
         <seg>make-ca.sh</seg>
         <seg>None</seg>
-        <seg>/etc/ssl/{certs,java,local}</seg>
+        <seg>/etc/ssl/{certs,java,local} and /etc/pki/{nssdb,anchors}</seg>
       </seglistitem>
     </segmentedlist>
@@ -137 +214 @@
         <term><command>make-ca.sh</command></term>
         <listitem>
-          <para>is a shell script that downloads a current version of
+          <para>is a shell script that adapts a current version of
           <filename>certdata.txt</filename>, and prepares it for use
           as the system certificate store.</para>

postlfs/security/nss.xml

@@ -104 +104 @@
     <bridgehead renderas="sect4">Recommended</bridgehead>
     <para role="recommended">
-      <xref linkend="sqlite"/>
+      <xref linkend="sqlite"/> and <xref linkend="p11-kit"/> (runtime)
     </para>
 
@@ -204 +204 @@
       the system version of sqlite.
     </para>
+
+  </sect2>
+
+  <sect2 role="configuration">
+    <title>Configuring NSS</title>
+
+    <para>If <xref linkend="p11-kit"/> is installed,
+    <filename>/usr/lib/libp11-kit.so</filename> can be used as a drop-in
+    replacement for <filename>/usr/lib/libnssckbi.so</filename> to
+    transparently make the system CAs available to
+    <application>NSS</application> aware applications, rather than the static
+    list provided by <filename>/usr/lib/libnssckbi.so</filename>. As the
+    <systemitem class="username">root</systemitem> user, execute the following
+    commands:</para>
+
+<screen role="root"><userinput>readlink /usr/lib/libnssckbi.so || \
+mv -v /usr/lib/libnssckbi.so /usr/lib/libnssckbi.so.orig &amp;&amp;
+ln -sfv libp11-kit.so /usr/lib/libnssckbi.so</userinput></screen>
+
+    <para>Additionally, for dependent applicaions that do not use the internal
+    database (<filename>/usr/lib/libnssckbi.so</filename>), the
+    <filename>make-ca.sh</filename> script, incldued on the
+    <xref linkend="cacerts"/> page, will gernerate a system wide NSS DB.</para>
 
   </sect2>

postlfs/security/p11-kit.xml

@@ -100 +100 @@
     </para>
 
-<screen><userinput>./configure --prefix=/usr --sysconfdir=/etc &amp;&amp;
+<screen><userinput>./configure --prefix=/usr     \
+            --sysconfdir=/etc \
+            --with-trust-paths=/etc/pki/anchors &amp;&amp;
 make</userinput></screen>
 
@@ -117 +119 @@
   <sect2 role="commands">
     <title>Command Explanations</title>
+
+    <para>
+      <parameter>--with-trust-paths=/etc/pki/anchors</parameter>: this switch
+      sets the location of trusted certificates used by libp11-kit.so.
+    </para>
 
     <para>
@@ -129 +136 @@
       rebuild the documentation and generate manual pages.
     </para>
+
+  </sect2>
+
+  <sect2 role="configuration">
+    <title>Configuring p11-kit</title>
+
+    <para>If <xref linkend="nss"/> is installed,
+    <filename>/usr/lib/libp11-kit.so</filename> can be used as a drop-in
+    replacement for <filename>/usr/lib/libnssckbi.so</filename> to
+    transparently make the system CAs available to
+    <application>NSS</application> aware applications, rather than the static
+    list provided by <filename>/usr/lib/libnssckbi.so</filename>. As the
+    <systemitem class="username">root</systemitem> user, execute the following
+    commands:</para>
+
+<screen role="root"><userinput>readlink /usr/lib/libnssckbi.so || \
+mv -v /usr/lib/libnssckbi.so /usr/lib/libnssckbi.so.orig &amp;&amp;
+ln -sfv libp11-kit.so /usr/lib/libnssckbi.so</userinput></screen>
 
   </sect2>