Changeset c10fe29

Timestamp:

05/19/2017 06:02:20 AM (7 years ago)

Author:

DJ Lucas <dj@…>

Branches:

10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, lazarus, lxqt, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal

Children:

ef30906a

Parents:

5987bf1

Message:

Use real example for cacerts page, remove i18n.sh from systemd.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@18741 af4574ff-66df-0310-9fd7-8a98e5e911e0

Location:

postlfs

Files:

• config/profile.xml (modified) (1 diff)
• security/cacerts.xml (modified) (1 diff)

postlfs/config/profile.xml

@@ -336 +336 @@
     </sect3>
 -->
-    <sect3 id="i18n.sh">
+    <sect3 id="i18n.sh" revision="sysv">
+    <!-- This is handled system wide on systemd -->
       <title>/etc/profile.d/i18n.sh</title>
 

postlfs/security/cacerts.xml

@@ -114 +114 @@
     certificate distribution, you need to add trust arguments to the
     <command>openssl</command> command, and create a new certificate. There are
-    three trust types that are recognised by the
+    three trust types that are recognized by the
     <application>make-ca.sh</application> script, SSL/TLS, S/Mime, and code
-    signing. For example, to allow a certificate to be trusted for both
-    SSL/TLS and S/Mime, but explicitly rejected for code signing, you could use
-    the following commands to create a new trusted certificate that has those
-    trust attributes:</para>
-
-<screen><literal>openssl x509 -in MyRootCA.pem -text -fingerprint -setalias "My Root CA 1"     \
-        -addtrust serverAuth -addtrust emailProtection -addreject codeSigning \
-        > MyRootCA-trusted.pem</literal></screen>
-
-    <para>If a trust argument is omitted, the certificate is neither trusted,
-    nor rejected. Clients that use <application>OpenSSL</application> or
-    <application>NSS</application> encountering this certificate will present
-    a warning to the user. Clients using <application>GnuTLS</application>
-    without <application>p11-kit</application> support are not aware of trusted
+    signing. For example, using the
+    <ulink url="http://www.cacert.org/">CAcert</ulink> root, if you want it to
+    be trusted for all three roles, the following commands will create an
+    appropriate OpenSSL trusted certificate:</para>
+
+<screen role="root"><userinput>install -vdm755 /etc/ssl/local &amp;&amp;
+wget http://www.cacert.org/certs/root.crt &amp;&amp;
+openssl x509 -in root.crt -text -fingerprint -setalias "CAcert Class 1 root" \
+        -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
+        > /etc/ssl/local/CAcert_Class_1_root.pem</userinput></screen>
+
+    <para>If one of the three trust arguments is omitted, the certificate is
+    neither trusted, nor rejected for that role. Clients that use
+    <application>OpenSSL</application> or <application>NSS</application>
+    encountering this certificate will present a warning to the user. Clients
+    using <application>GnuTLS</application> without
+    <application>p11-kit</application> support are not aware of trusted
     certificates. To include this CA into the ca-bundle.crt (used for
     <application>GnuTLS</application>), it must have <envar>serverAuth</envar>
-    trust.</para> 
+    trust. Additionally, to explicitly disallow a certificate for a particular
+    use, replace the <parameter>-addtrust</parameter> flag with the
+    <parameter>-addreject</parameter> flag.</para> 
 
     <para>To install the various certificate stores, first install the