Changeset 638a6a4 for postlfs

Timestamp:

02/24/2019 05:03:15 AM (5 years ago)

Author:

DJ Lucas <dj@…>

Branches:

10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 8.4, 9.0, 9.1, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, lazarus, lxqt, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal

Children:

28b75d3

Parents:

91b2565

Message:

Moved example configuration for make-ca to the configuration section.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@21237 af4574ff-66df-0310-9fd7-8a98e5e911e0

File:

• postlfs/security/make-ca.xml (modified) (4 diffs)

postlfs/security/make-ca.xml

@@ -103 +103 @@
     on the system). Any local certificates stored in
     <filename>/etc/ssl/local</filename> will be imported to both the trust
-    anchors and the generated certificate stores (overriding Mozilla's trust).
-    Certificates in this directory should be stored as PEM encoded
-    <application>OpenSSL</application> trusted certificates.</para>
-
-    <para>To create an <application>OpenSSL</application> trusted certificate
-    from a regular PEM encoded file, you need to add trust arguments to the
-    <command>openssl</command> command, and create a new certificate. There are
-    three trust types that are recognized by the
-    <application>make-ca</application> script, SSL/TLS, S/Mime, and code
-    signing. For example, using the
-    <ulink url="http://www.cacert.org/">CAcert</ulink> roots, if you want to
-    trust both for all three roles, the following commands will create
-    appropriate OpenSSL trusted certificates (run as the <systemitem
-    class="username">root</systemitem> user after
-    <xref linkend="wget"/> is installed):</para>
-
-<screen role="nodump"><userinput>install -vdm755 /etc/ssl/local &amp;&amp;
-wget http://www.cacert.org/certs/root.crt &amp;&amp;
-wget http://www.cacert.org/certs/class3.crt &amp;&amp;
-openssl x509 -in root.crt -text -fingerprint -setalias "CAcert Class 1 root" \
-        -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
-        > /etc/ssl/local/CAcert_Class_1_root.pem &amp;&amp;
-openssl x509 -in class3.crt -text -fingerprint -setalias "CAcert Class 3 root" \
-        -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
-        > /etc/ssl/local/CAcert_Class_3_root.pem</userinput></screen>
-
-    <para>If one of the three trust arguments is omitted, the certificate is
-    neither trusted, nor rejected for that role. Clients that use
-    <application>OpenSSL</application> or <application>NSS</application>
-    encountering this certificate will present a warning to the user. Clients
-    using <application>GnuTLS</application> without
-    <application>p11-kit</application> support are not aware of trusted
-    certificates. To include this CA into the ca-bundle.crt (used for
-    <application>GnuTLS</application>), it must have <envar>serverAuth</envar>
-    trust. Additionally, to explicitly disallow a certificate for a particular
-    use, replace the <parameter>-addtrust</parameter> flag with the
-    <parameter>-addreject</parameter> flag.</para> 
+    anchors and the generated certificate stores (overriding Mozilla's
+    trust).</para>
 
     <para>To install the various certificate stores, first install the
@@ -165 +130 @@
     <filename>/etc/ssl/ca-bundle.crt</filename> for the
     <xref linkend="gnutls"/> certificate store. If software is still installed
-    that references this file, create a compatibilty symlink for the old
+    that references this file, create a compatibility symlink for the old
     location as the <systemitem class="username">root</systemitem> user:</para>
 
@@ -198 +163 @@
     <title>Configuring make-ca</title>
 
-    <para>Genearally, no configuration is necessary on an LFS system, however,
+    <para>For most users, no additional configuration is necessary, however,
     the default <filename>certdata.txt</filename> file provided by make-ca
     is obtained from the mozilla-release branch, and is modified to provide a
@@ -213 +178 @@
       <primary sortas="e-etc-make-ca-conf">/etc/make-ca.conf</primary>
     </indexterm>
+
+    <bridgehead renderas="sect3">About Trust Arguments</bridgehead>
+
+    <para>There are three trust types that are recognized by the
+    <application>make-ca</application> script, SSL/TLS, S/Mime, and code
+    signing. For <application>OpenSSL</application>, these are
+    <parameter>serverAuth</parameter>, <parameter>emailProtection</parameter>,
+    and <parameter>codeSigning</parameter> respectively. If one of the three
+    trust arguments is omitted, the certificate is neither trusted, nor
+    rejected for that role. Clients that use <application>OpenSSL</application>
+    or <application>NSS</application> encountering this certificate will
+    present a warning to the user. Clients using
+    <application>GnuTLS</application> without
+    <application>p11-kit</application> support are not aware of trusted
+    certificates. To include this CA into the
+    <filename>ca-bundle.crt</filename>,
+    <filename>email-ca-bundle.crt</filename>, or
+    <filename>objsign-ca-bundle.crt</filename> files
+    (the <application>GnuTLS</application> legacy bundles), it must have the
+    appropriate trust arguments.</para>
+
+    <bridgehead renderas="sect3">Adding Additional CA Certificates</bridgehead>
+
+    <para>The <filename class="directory">/etc/ssl/local</filename> directory
+    is available to add additional CA certificates to the system. For instance,
+    you might need to add an organization or government CA certificate.
+    Files in this directory must be in the <application>OpenSSL</application>
+    trusted certificate format. To create an <application>OpenSSL</application>
+    trusted certificate from a regular PEM encoded file, you need to add trust
+    arguments to the <command>openssl</command> command, and create a new
+    certificate. For example, using the
+    <ulink url="http://www.cacert.org/">CAcert</ulink> roots, if you want to
+    trust both for all three roles, the following commands will create
+    appropriate OpenSSL trusted certificates (run as the
+    <systemitem class="username">root</systemitem> user after
+    <xref linkend="wget"/> is installed):</para>
+
+<screen role="nodump"><userinput>install -vdm755 /etc/ssl/local &amp;&amp;
+wget http://www.cacert.org/certs/root.crt &amp;&amp;
+wget http://www.cacert.org/certs/class3.crt &amp;&amp;
+openssl x509 -in root.crt -text -fingerprint -setalias "CAcert Class 1 root" \
+        -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
+        > /etc/ssl/local/CAcert_Class_1_root.pem &amp;&amp;
+openssl x509 -in class3.crt -text -fingerprint -setalias "CAcert Class 3 root" \
+        -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
+        > /etc/ssl/local/CAcert_Class_3_root.pem</userinput></screen>
+
+    <bridgehead renderas="sect3">Overriding Mozilla Trust</bridgehead>
+
+    <para>Occasionally, there may be instances where you don't agree with
+    Mozilla's inclusion of a particular certificate authority. If you'd like
+    to override the default trust of a particular CA, simply create a copy of
+    the existing certificate in
+    <filename class="directory">/etc/ssl/local</filename> with different trust
+    arguments. For example, if you'd like to distrust the "Makebelieve_CA_Root"
+    file, run the following commands:</para>
+
+<screen role="nodump"><userinput>install -vdm755 /etc/ssl/local &amp;&amp;
+openssl x509 -in /etc/ssl/certs/Makebelieve_CA_Root.pem \
+             -text \
+             -fingerprint 
+             -setalias "Disabled Makebelieve CA Root" \
+             -addreject serverAuth \
+             -addreject emailProtection \
+             -addreject codeSigning \
+       > /etc/ssl/local/Disabled_Makebelieve_CA_Root.pem &amp;&amp;
+/usr/sbin/make-ca -r -f</userinput></screen>
 
   </sect2>