Changeset 4a16903 for postlfs/security/cacerts.xml
- Timestamp:
- 11/18/2016 07:13:46 AM (7 years ago)
- Branches:
- 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal
- Children:
- 539dd69d
- Parents:
- 1c929a6d
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
postlfs/security/cacerts.xml
r1c929a6d r4a16903 5 5 %general-entities; 6 6 7 <!ENTITY certhost "https://hg.mozilla.org/"> 8 <!ENTITY certpath "/lib/ckfw/builtins/certdata.txt"> 9 <!ENTITY ca-bundle-download "&sources-anduin-http;/other/certdata.txt"> 10 <!ENTITY ca-bundle-size "1.6 MB"> 11 <!ENTITY cacerts-buildsize "4.7 MB (with all runtime deps)"> 12 <!ENTITY cacerts-time "0.2 SBU (with all runtime deps)"> 13 7 14 <!ENTITY make-ca-download "&sources-anduin-http;/other/make-ca.sh"> 8 <!ENTITY make-ca-size "4.1 KB"> 9 <!ENTITY make-ca-md5sum "487ca7ce6f7b81b3e46362138f93310c"> 10 <!ENTITY cacerts-buildsize "1.4 MB"> 11 <!ENTITY cacerts-time "0.1 SBU"> 15 <!ENTITY make-ca-size "11 KB"> 16 <!ENTITY make-ca-md5sum "fbc5687ce7fd5533edbb4e616a1080de"> 12 17 ]> 13 18 … … 22 27 <title>Certificate Authority Certificates</title> 23 28 24 <para>The Public Key Infrastructure is used for many security features in a 25 Linux system. In order for a certificate to be trusted, it must be signed by 26 a trusted agent called a Certificate Authority (CA). The certificates 27 installed in this section are obtained from the Mozilla version control 28 system, and reformatted for use by <xref linkend='openssl'/> and 29 <xref linkend='gnutls'/>. The certificates can also be used by other 30 applications, either directly or indirectly by linking to one of these 31 packages.</para> 29 <para>Public Key Infrastructure (PKI) is a method to validate the 30 authenticity of an othewise unknown entity across untrusted networks. PKI 31 works by establishing a chain of trust, rather than trusting each individual 32 host or entity explicitly. In order for a certificate presented by a remote 33 entity to be trusted, that certificate must pesent a complete chain of 34 certificates that can be validated using the root certificate of a 35 Certificate Authority (CA) that is trusted by the local machine.</para> 36 37 <para>Establishing trust with a CA involves validating things like company 38 address, ownership, contact information, etc., and ensuring that the CA has 39 followed best practices, such as udergoing periodic security audits by 40 independent investegators and maintaining an always avaialable certificate 41 revocation list. This is well outside the scope of BLFS (as it is for most 42 Linux distributions). The certificate store provided here is taken from the 43 Mozilla Foundation, who have established very strict inclusion policies 44 described 45 <ulink url="https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/">here</ulink>.</para> 32 46 33 47 &lfs7a_checked; … … 59 73 </itemizedlist> 60 74 75 76 <bridgehead renderas="sect3">Additional Downloads</bridgehead> 77 <itemizedlist spacing="compact"> 78 <listitem> 79 <para> 80 CA Certificates 81 <ulink url="&ca-bundle-download;"/> 82 </para> 83 </listitem> 84 </itemizedlist> 85 61 86 <bridgehead renderas="sect3">Certificate Authority Certificates Dependencies</bridgehead> 62 87 63 88 <bridgehead renderas="sect4">Required</bridgehead> 64 <para role="required"><xref linkend="openssl"/> and 65 <xref linkend="curl"/></para> 89 <para role="required"><xref linkend="openssl"/></para> 90 91 <bridgehead renderas="sect4">Optional (runtime)</bridgehead> 92 <para role="optional"> 93 <xref linkend="java"/> or <xref linkend="openjdk"/>, and 94 <xref linkend="nss"/></para> 66 95 67 96 <para condition="html" role="usernotes">User Notes: … … 72 101 <title>Installation of Certificate Authority Certificates</title> 73 102 74 <para>The <application>make-ca.sh</application> script will download a set 75 of certificates from one of five projects (aurora, beta, central, nss, or 76 release) in the Mozialla version control system. It defaults to the release 77 branch, which is identical to the version that ships with the Mozilla 78 products in this book. If you'd like to change the branch that is retrieved, 79 edit the file and set <envar>CERTSOURCE</envar> to one of the five values 80 above.</para> 81 82 <para>Additionally, any local certificates stored in 83 <filename>/etc/ssl/local</filename> will be copied into both the single-file 84 <filename>/etc/ssl/ca-bundle.crt</filename> (used by programs that link to 85 <application>gnutls</application>), and into the certificate store directory 86 <filename>/etc/ssl/certs</filename> (used by programs that link to 87 <application>OpenSSL</application>). All certificates will pass a date and 88 trust validation, and any existing certificates in 89 <filename>/etc/ssl/ca-bundle.crt</filename> or 90 <filename>/etc/ssl/certs</filename> will be removed upon successful 91 completion of this script.</para> 92 93 <para>Finally, if you've installed <xref linkend="java"/> or <xref 94 linkend="openjdk"/>, then it will also update the java cacerts file at 95 <filename>/etc/ssl/java/cacerts</filename>.</para> 96 97 <para>First install the above script into the correct location. As the 98 <systemitem class="username">root</systemitem> user:</para> 99 100 <screen role="root"><userinput>install -vm750 make-ca.sh /usr/sbin</userinput></screen> 101 102 <para>As the <systemitem class="username">root</systemitem> user, create the 103 needed directories, and update the certificate store:</para> 104 105 <screen role="root"><userinput>install -vdm755 /etc/ssl/{certs,java,local} && 106 /usr/sbin/make-ca.sh 107 </userinput></screen> 108 109 <para>You should periodically run the <application>make-ca.sh</application> 110 script (as the <systemitem class="username">root</systemitem> user), or as 111 part of a monthly <application>cron</application> job to ensure that you 112 have the latest available version of the certificates.</para> 103 <para>The <application>make-ca.sh</application> script will adapt the 104 certificates included in the <filename>certdata.txt</filename> file 105 for use in multiple certificate stores (if the associated applications are 106 present on the system). Additionally, any local certificates stored in 107 <filename>/etc/ssl/local</filename> will be imported to the ceritificate 108 stores. Certificates in this directory should be stored as PEM encoded 109 <application>OpenSSL</application> trusted certificates.</para> 110 111 <para>To create an <application>OpenSSL</application> trusted certificate 112 from a regular PEM encoded file, provided by a CA not included in Mozilla's 113 certificate distribution, you need to add trust arguments to the 114 <command>openssl</command> command, and create a new certificate. There are 115 three trust types that are recognised by the 116 <application>make-ca.sh</application> script, SSL/TLS, S/Mime, and code 117 signing. For example, to allow a certificate to be trusted for both 118 SSL/TLS and S/Mime, but explicitly rejected for code signing, you could use 119 the following commands to create a new trusted ceritificate that has those 120 trust attributes:</para> 121 122 <screen><literal>openssl x509 -in MyRootCA.pem -text -fingerprint -setalias "My Root CA 1" \ 123 -addtrust serverAuth -addtrust emailProtection -addreject codeSigning \ 124 > MyRootCA-trusted.pem</literal></screen> 125 126 <para>If a trust argument is omitted, the certificate is neither trusted, 127 nor rejected. Clients that use <application>OpenSSL</application> or 128 <application>NSS</application> encountering this certificate will present 129 a warning to the user. Clients using <application>GnuTLS</application> 130 without <application>p11-kit</application> support are not aware of trusted 131 certificates. To include this CA into the ca-bundle.crt (used for 132 <application>GnuTLS</application>), it must, at very least, have the 133 serverAuth trust.</para> 134 135 <para>To install the various certificate stores, first install the 136 <application>make-ca.sh</application> script into the correct location. 137 As the <systemitem class="username">root</systemitem> user:</para> 138 139 <screen role="root"><userinput>install -vm755 make-ca.sh /usr/sbin</userinput></screen> 140 141 <para>As the <systemitem class="username">root</systemitem> user, make sure 142 that certdata.txt is in the current direcotry, and update the certificate 143 stores with the following command:</para> 144 145 <screen role="root"><userinput>/usr/sbin/make-ca.sh</userinput></screen> 146 147 <para>You should periodically download a copy of 148 <filename>certdata.txt</filename> and run the 149 <application>make-ca.sh</application> script (as the 150 <systemitem class="username">root</systemitem> user), or as part of a 151 monthly <application>cron</application> job to ensure that you have the 152 latest available version of the certificates.</para> 153 154 <para>The <filename>certdata.txt</filename> file provided by BLFS is 155 obtained from the mozilla-release branch, and is modified to provide a 156 simple dated revision. This will be the correct verision for most 157 systems. There are, however, several other variants of the file available 158 for use that might be preferred for one reason or another, including all 159 Mozilla products in this book. RedHat and OpenSUSE, for instace, use the 160 version included in <xref linkend="nss"/>. Additional download locations 161 are available at:</para> 162 163 <itemizedlist spacing="compact"> 164 <listitem> 165 <para>Mozilla Release (the version provided by BLFS): 166 <ulink url="&certhost;releases/mozilla-release/raw-file/default/security/nss&certpath;"/> 167 </para> 168 </listitem> 169 <listitem> 170 <para>NSS (this is the latest availalbe version): 171 <ulink url="&certhost;projects/nss/raw-file/tip/lib&certpath;"/> 172 </para> 173 </listitem> 174 <listitem> 175 <para>Mozilla Central: 176 <ulink url="&certhost;mozilla-central/raw-file/default/security/nss&certpath;"/> 177 </para> 178 </listitem> 179 <listitem> 180 <para>Mozilla Beta: 181 <ulink url="&certhost;releases/mozilla-beta/raw-file/default/security/nss&certpath;"/> 182 </para> 183 </listitem> 184 <listitem> 185 <para>Mozilla Aurora: 186 <ulink url="&certhost;releases/mozilla-aurora/raw-file/default/security/nss&certpath;"/> 187 </para> 188 </listitem> 189 </itemizedlist> 113 190 114 191 </sect2> … … 125 202 <seg>make-ca.sh</seg> 126 203 <seg>None</seg> 127 <seg>/etc/ssl/{certs,java,local} </seg>204 <seg>/etc/ssl/{certs,java,local} and /etc/pki/{nssdb,anchors}</seg> 128 205 </seglistitem> 129 206 </segmentedlist> … … 137 214 <term><command>make-ca.sh</command></term> 138 215 <listitem> 139 <para>is a shell script that downloads a current version of216 <para>is a shell script that adapts a current version of 140 217 <filename>certdata.txt</filename>, and prepares it for use 141 218 as the system certificate store.</para>
Note:
See TracChangeset
for help on using the changeset viewer.